CISA Adds LiteSpeed cPanel Vulnerability to KEV: 3-Day Patch Deadline for Federal Agencies
What Happened
On [date], CISA added CVE-2026-48172, a high-severity vulnerability in the LiteSpeed cPanel user-end plugin, to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability, reported by Namecheap, affects all plugin versions before 2.4.8 and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS. LiteSpeed has released urgent updates and provided a command to check for exploitation.
Under Binding Operational Directive (BOD) 26-04, issued in June 2026, U.S. federal agencies must patch KEV-listed vulnerabilities within three days. BOD 26-04 replaces older directives and emphasizes risk-based prioritization based on factors including KEV inclusion, public exposure, automation potential, and impact.
Why It Matters
This vulnerability is particularly dangerous for hosting providers and shared environments. A successful exploit gives attackers root-level control, enabling them to compromise all sites on a shared server, steal data, deploy malware, or pivot to other systems. The active exploitation in the wild means that unpatched systems are at immediate risk.
For federal agencies and contractors, the inclusion in KEV triggers mandatory patching under BOD 26-04. Failure to comply can result in audit findings, loss of FedRAMP authorization, or contract penalties. FedRAMP requires cloud service providers to maintain a vulnerability management program that includes timely patching of critical and high-severity vulnerabilities. The three-day deadline for KEV vulnerabilities sets a stringent bar that demands automated patch management and continuous monitoring.
Contractors and service providers that host government data or operate FedRAMP-authorized systems must ensure their shared hosting environments are patched. The vulnerability also highlights the importance of securing FTP and web shell access, as these are the attack vectors. Organizations should review their LiteSpeed plugin versions and apply the update (version 2.4.8 or later) immediately.
What Organizations Should Do
- Patch immediately: Update the LiteSpeed cPanel user-end plugin to version 2.4.8 or later. Use the detection command provided by LiteSpeed to check for exploitation.
- Review access controls: Restrict FTP and web shell access to minimize attack surface. Implement multi-factor authentication where possible.
- Monitor compliance: Track KEV additions and BOD 26-04 deadlines. Automated tools can help prioritize patches based on risk.
- Verify FedRAMP posture: If you operate a FedRAMP-authorized system, ensure patching is documented and within SLA requirements.
For organizations managing multiple environments, manual tracking of vulnerabilities and deadlines is error-prone. Platforms like AIGovHub's SENTINEL module provide real-time monitoring of KEV additions, automated compliance deadline tracking, and cross-referencing with FedRAMP and other regulatory frameworks. SENTINEL ingests data from 435+ intelligence sources, including CISA, to alert teams within minutes of a new KEV entry.
Related Resources
This content is for informational purposes only and does not constitute legal advice.