What Happened
CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, giving U.S. federal agencies until May 29 to patch. The flaw sits in the LiteSpeed cPanel user-end plugin — software installed on millions of shared and managed hosting servers that use cPanel as their control panel. With a CVSS score of 9.8, it allows any authenticated cPanel user, including a low-privilege shared hosting account, to invoke the lsws.redisAble function and execute arbitrary scripts as root on the underlying server.
Active exploitation was confirmed before CISA acted. Unknown threat actors are using the vulnerability to deploy variants of the Mirai botnet and a ransomware strain tracked as “Sorry.” The LiteSpeed cPanel plugin is distinct from the LiteSpeed web server itself; the vulnerable versions run from 2.3 through 2.4.4, and version 2.4.5 patches the issue. According to The Hacker News, the attack surface is significant because the plugin is enabled by default on many cPanel deployments.
Why This Matters for Canadian Organizations
cPanel is the dominant web hosting control panel in the Canadian shared hosting market. Every major Canadian hosting provider — from national telcos to regional web hosts — deploys it at scale. A single compromised shared hosting account is all an attacker needs to own the entire server, affecting every other tenant on the same machine. This makes the threat especially serious for Canadian municipalities, small businesses, healthcare clinics, and educational institutions that rely on shared hosting for their web presence.
The ransomware component adds a data breach notification dimension. Under Canada’s PIPEDA and provincial privacy laws, a successful attack leading to data exfiltration before encryption triggers mandatory breach reporting obligations to the Office of the Privacy Commissioner. The Mirai botnet deployment component also creates a secondary risk: compromised Canadian servers become DDoS infrastructure directed at other victims. Canadian MSPs managing client cPanel environments on behalf of customers face the same exposure — if one client account is weak, the entire shared environment is at risk.
Earlier this year, the “Sorry” ransomware strain was also linked to exploitation of CVE-2026-41940, the previous cPanel zero-day that targeted Canadian MSPs. The same toolchain appearing here suggests a sustained campaign against cPanel infrastructure.
What to Do
Update the LiteSpeed cPanel plugin to version 2.4.5 immediately on every cPanel server in your environment. If patching is not possible within 24 hours, disable or remove the plugin until a maintenance window allows the update. Audit shared hosting server logs for invocations of lsws.redisAble or unexpected root-level script execution events dating back at least 30 days. If any evidence of compromise exists, treat the server as fully compromised — attacker root access gives full control of all hosted accounts and data. Review cPanel server hardening: restrict which users have plugin access and ensure account isolation settings are set to their strictest configuration. Report any confirmed intrusions to the Canadian Centre for Cyber Security at cyber.gc.ca.
