**CISA** has mandated that U.S. government agencies secure their servers against an actively exploited vulnerability, **CVE-2026-48172**, found in the **LiteSpeed cPanel** user-end plugin. This critical directive underscores the immediate threat posed by the flaw. ### Understanding the Vulnerability Reported by **Namecheap**, **CVE-2026-48172** is a high-severity vulnerability that enables attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running **CloudLinux/CageFS**. The flaw, affecting all user-end plugin versions prior to 2.4.8, originates from a 'UNIX symlink following' weakness. **LiteSpeed** first flagged this vulnerability as actively exploited in early June. The company promptly released urgent security updates, advising users to update the **cPanel** user-end plugin (which is bundled with the **WHM** plugin) to the latest version. ### How to Check for Compromise Users can check if their server is vulnerable or potentially exploited by running the following command: If this command yields any output, it suggests the vulnerability might have been exploited. **LiteSpeed** recommends examining system logs for actions taken by detected IPs to assess the extent of any damage. The company emphasized that this vulnerability is under active exploitation and poses a risk to all user-end plugin versions predating 2.4.8. ### CISA's Urgent Mandate On Monday, **CISA** added **CVE-2026-48172** to its **Known Exploited Vulnerabilities Catalog** (**KEV**). This inclusion triggers a binding operational directive (**BOD 26-04**) that requires Federal Civilian Executive Branch (**FCEB**) agencies to secure their systems within three days. **BOD 26-04**, issued last Wednesday, revokes older directives and mandates that U.S. federal agencies prioritize patching based on exploitation risk. Key factors in this assessment include whether a flaw is in the **KEV** catalog, its public exposure, potential for automated large-scale attacks, and the level of control it grants attackers. **CISA** warned that such vulnerabilities are frequent attack vectors for malicious cyber actors, presenting significant risks to federal operations. Agencies are advised to follow **BOD 26-04** guidance for cloud services or discontinue product use if mitigations are unavailable. Stakeholders are responsible for evaluating asset internet exposure and ensuring adherence to patching guidelines. This is not an isolated incident; last month, **CISA** also urged federal agencies to patch another **LiteSpeed cPanel** vulnerability, **CVE-2026-48172**, which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.