May 27, 2026 High Confidence

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

By Overwatch Observatory — Automated Detection Engineering

Threat Overview

BleepingComputer and CISA recently highlighted an actively exploited vulnerability, CVE-2026-48172, affecting a LiteSpeed cPanel plugin. This flaw presents a critical initial access vector (T1190) for attackers, prompting urgent patching directives for federal agencies. We observed that successful exploitation attempts leave a distinct artifact in web server logs, making it highly detectable.

Our analysis focused on this specific indicator to develop a robust KQL detection rule. The query targets the unique string `cpanel_jsonapi_func=redisAble`, which signifies an attempt to exploit the vulnerability. We designed the rule to union data from two common log sources: `Syslog` and `CommonSecurityLog`.

Within the `Syslog` table, we look for the exploit string within the `SyslogMessage` field and extract the `AttackerIp` from the message itself. For `CommonSecurityLog`, we search the `RequestURL` field for the same string, leveraging existing `SourceIP` and `DestinationHostName` fields. This combined approach ensures broad coverage across environments that might log web traffic differently, allowing defenders to identify attempted exploitation of the LiteSpeed cPanel plugin.

Defenders should deploy this KQL query in their SIEM to monitor for any attempts against their cPanel installations. We recommend reviewing any alerts generated by this rule immediately, investigating the `AttackerIp` and `TargetHost` for further malicious activity, and ensuring all cPanel instances are patched against CVE-2026-48172.

Source

Threat Intelligence Source

https://www.bleepingcomputer.com/news/security/cisa-gives-feds-4-days-to-patch-actively-exploited-cpanel-plugin-flaw/

BleepingComputer

Detection Rules

Initial Access / T1190

This detection identifies attempts to exploit CVE-2026-48172, a vulnerability in a public-facing LiteSpeed cPanel plugin. The query searches for the unique string `cpanel_jsonapi_func=redisAble` in web server logs, which is a clear indicator of an attacker attempting to gain initial access and achieve remote code execution with elevated privileges.

KQL

let timeframe = 1d;
let exploitString = "cpanel_jsonapi_func=redisAble";
union isfuzzy=true (
    Syslog
    | where TimeGenerated >= ago(timeframe)
    | where SyslogMessage has exploitString
    | extend AttackerIp = tostring(extract(@'([0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3})', 1, SyslogMessage))
    | project
        TimeGenerated,
        DetectionSource = "Syslog",
        Activity = "LiteSpeed cPanel Exploit Attempt",
        TargetHost = HostName,
        AttackerIp,
        Payload = SyslogMessage
),
(
    CommonSecurityLog
    | where TimeGenerated >= ago(timeframe)
    | where RequestURL has exploitString
    | project
        TimeGenerated,
        DetectionSource = "CommonSecurityLog",
        Activity = "LiteSpeed cPanel Exploit Attempt",
        TargetHost = DestinationHostName,
        AttackerIp = SourceIP,
        Payload = RequestURL
)
| extend HostCustomEntity = TargetHost, IPCustomEntity = AttackerIp

Verified against live Sentinel — May 27, 2026

What This Catches

This detection logic targets specific behavioral indicators mapped to the MITRE framework as identified in the source intelligence.

MITRE ATT&CK

Tactics

Initial Access

Techniques

T1190

Want This Detection in Your Environment?

Overwatch deploys and manages detection rules like this across your Microsoft Sentinel workspace, with continuous tuning and 24/7 monitoring.

Book a Consultation