Outage in Liquid Web
Security Advisory - LiteSpeed Privilege Escalation Vulnerability CVE-2026-48172
Resolved MajorIncident Report
Summary AI Generated
A high-severity privilege escalation vulnerability (CVE-2026-48172) in the LiteSpeed cPanel plugin allowed unprivileged users to gain root access, with evidence of active exploitation in the wild. The vulnerability affected cPanel systems running LiteSpeed plugin versions v2.3 to v2.4.4. Liquid Web's security team completed infrastructure assessments, forced security updates on all accessible managed systems, and reviewed for indicators of compromise over 5.2 hours.
A recently disclosed vulnerability (CVE-2026-48172) in the LiteSpeed user-end cPanel plugin allows an unprivileged user to escalate to root privileges in plugin versions between v2.3 and v2.4.4. This issue has been classified as high severity. Public reports suggest the vulnerability was being exploited in the wild in May 2026, and indicators of compromise have been published. On May 19th cPanel issued a separate update which disabled and removed the plugin. This vulnerability is patched in v2.4.7 of the user-end plugin and v5.3.1.0 of the WHM plugin (which bundles the user-end plugin).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026
Status
Our security and operations teams are completing an assessment of our infrastructure and will force a upcp update today for all systems we are able to reach. We plan to review for Indicators of Compromise following the updates.
Customer Guidance
Customers managing their own systems or using unmanaged services should ensure they have applied the latest security updates or have removed the plugin. Customers should also review their systems for indicators of compromise using the information provided in the LiteSpeed blog article.
Should you need any assistance or have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
We will continue monitoring this vulnerability and will provide updates if new information becomes available.
Components affected
Liquid Web CPanelTrusted by 1,000+ teams
The Status Page Aggregator with Early Outage Detection
Stop finding out about outages from your users. Monitor 6,320+ cloud services and get alerted the second something breaks.
Latest Updates ( sorted recent to last )
RESOLVED
1 day ago - at 05/26/2026 12:29AM
Status Update
Our security and operations teams completed the assessment of our infrastructure, which forcd a upcp update today for all systems we were able to reach. We also reviewed environments for the indicators of compromise noted in the LiteSpeed article below. We will address any findings via a support ticket. We are resolving this incident at this time.
Customer Guidance
Customers are strongly encouraged to ensure they are running the updated version of the LiteSpeed plugin and to review their systems for the indicators of compromise. If our team does not have access to your system because it is unmanaged, self-managed, or access has been updated but not shared with Liquid Web, then we would not have been able to reach your system in order to apply updates or check for indicators of compromise.
If you have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
IDENTIFIED
1 day ago - at 05/25/2026 07:17PM
A recently disclosed vulnerability (CVE-2026-48172) in the LiteSpeed user-end cPanel plugin allows an unprivileged user to escalate to root privileges in plugin versions between v2.3 and v2.4.4. This issue has been classified as high severity. Public reports suggest the vulnerability was being exploited in the wild in May 2026, and indicators of compromise have been published. On May 19th cPanel issued a separate update which disabled and removed the plugin. This vulnerability is patched in v2.4.7 of the user-end plugin and v5.3.1.0 of the WHM plugin (which bundles the user-end plugin).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026
Status
Our security and operations teams are completing an assessment of our infrastructure and will force a upcp update today for all systems we are able to reach. We plan to review for Indicators of Compromise following the updates.
Customer Guidance
Customers managing their own systems or using unmanaged services should ensure they have applied the latest security updates or have removed the plugin. Customers should also review their systems for indicators of compromise using the information provided in the LiteSpeed blog article.
Should you need any assistance or have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
We will continue monitoring this vulnerability and will provide updates if new information becomes available.
Latest Liquid Web outages
Issue Accessing Portal via login.liquidweb.com - 3 days ago
Let's Encrypt Service Interruption - 18 days ago
Critical Authentication Vulnerability on cPanel/WHM - 29 days ago
MySQL Service Disruption via MySQL-community repo - about 1 month ago
The Status Page Aggregator with Early Outage Detection
With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.
Start free trialNo credit card required · Cancel anytime · 6320 services available
Integrations with
