CISA Orders Federal Agencies to Patch Exploited cPanel LiteSpeed Plugin in 4 Days
Actively Exploited cPanel Flaw Gets a Hard Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency has added a critical vulnerability in the LiteSpeed cPanel user-end plugin to its Known Exploited Vulnerabilities catalog, giving federal civilian agencies just four days to remediate. That is not a suggestion — agencies that miss the deadline are out of compliance with Binding Operational Directive 22-01.
What Happened
CISA confirmed that attackers are actively exploiting a flaw in the LiteSpeed plugin distributed through the cPanel interface. While the full technical write-up is still emerging, the exploitation is live in the wild, meaning proof-of-concept is past the theoretical stage. The four-day window signals CISA's assessment that the blast radius is high and the barrier to exploit is low.
Why It Matters
cPanel is the dominant web hosting control panel on the internet. The LiteSpeed plugin — used to configure the LiteSpeed Web Server or LiteSpeed Cache from within cPanel's user interface — touches a massive installed base: shared hosts, VPS providers, and self-managed servers running everything from small business sites to government contractor infrastructure.
An exploitable flaw at the cPanel plugin layer can mean unauthenticated remote code execution, privilege escalation, or account takeover depending on the vulnerability class. Any of those outcomes on a hosting server gives an attacker a foothold into every site on that box. For organizations running their own cPanel stacks, the risk is direct. For those hosted on a shared provider, the risk lands on the provider — but your data sits on the same iron.
The four-day federal mandate is the loudest signal CISA can send short of an emergency directive. Historically, vulnerabilities that earn this treatment turn into mass-exploitation events within days of the KEV listing going public, as less sophisticated actors pile on once a flaw is confirmed exploitable.
What to Do
If you run cPanel servers:
- Update the LiteSpeed plugin immediately. Log into WHM, navigate to cPanel Store or Manage Plugins, and apply any pending LiteSpeed updates. Do this now, not during the next maintenance window.
- Check your cPanel and LiteSpeed versions. Ensure both the server-level LiteSpeed binary and the cPanel-facing plugin are on the latest stable release.
- Review access logs for unusual plugin API calls or requests to LiteSpeed plugin endpoints from unexpected IPs.
- Restrict WHM/cPanel access by IP if you have not already — even a temporary allowlist buys time while you patch.
- Notify your hosting provider if you are on managed cPanel hosting and ask for confirmation that the patch has been applied at the infrastructure level.
If you are a federal agency: You already have your orders. Four days. Document your remediation.
This is a patch-first, investigate-later situation. The exploitation is live and the window is short.
Synthesized by Claude · sanity-checked before publish.