LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172)

let LiteSpeedPaths = dynamic(['/usr/local/lsws', '/opt/litespeed', '/usr/local/cpanel/whostmgr/docroot/cgi/litespeed']);
let SuspiciousCommands = dynamic(['chmod', 'chown', 'sudo', 'su', 'usermod', 'passwd', 'visudo', 'crontab']);
union isfuzzy=true
(
  Syslog
  | where ProcessName in~ ('lsphp', 'lshttpd', 'litespeed', 'lsws_cpanel')
  | where SyslogMessage has_any ('privilege', 'escalat', 'root', 'uid=0', 'euid=0', 'suid')
  | extend EventType = 'SyslogPrivilegeEscalation'
),
(
  SecurityEvent
  | where EventID in (4688, 4672, 4728, 4732)
  | where NewProcessName has_any (LiteSpeedPaths) or ParentProcessName has_any (LiteSpeedPaths)
  | extend EventType = 'WindowsProcessPrivilege'
),
(
  AuditLogs
  | where OperationName has_any ('litespeed', 'cpanel')
  | where ResultDescription has_any ('privilege', 'escalation', 'root access')
  | extend EventType = 'AuditPrivilegeChange'
)
| project TimeGenerated, EventType, Computer, AccountName = coalesce(AccountName, tostring(TargetAccount)), ProcessName = coalesce(ProcessName, NewProcessName), CommandLine = coalesce(SyslogMessage, CommandLine), _ResourceId
| extend RiskScore = case(
    CommandLine has 'uid=0', 90,
    CommandLine has 'euid=0', 90,
    CommandLine has_any ('visudo', 'usermod'), 80,
    CommandLine has_any ('chmod +s', 'chown root'), 85,
    70
  )
| where RiskScore >= 70
| order by TimeGenerated desc

index=os OR index=linux_secure OR index=cpanel
(sourcetype=syslog OR sourcetype=linux_audit OR sourcetype=cpanel_access_log)
(
  (process IN ("lshttpd", "lsphp", "lsws_cpanel", "litespeed") AND (message IN ("*uid=0*", "*euid=0*", "*privilege*", "*escalat*", "*suid*", "*root*")))
  OR
  (path IN ("/usr/local/lsws/*", "/opt/litespeed/*", "/usr/local/cpanel/whostmgr/docroot/cgi/litespeed*") AND (command IN ("chmod", "chown", "sudo", "su", "usermod", "visudo")))
  OR
  (type="EXECVE" AND (a0 IN ("*lsws*", "*lsphp*", "*litespeed*")) AND (a1 IN ("*root*", "*0*", "*uid*")))
)
| eval risk_score=case(
    match(message, "uid=0|euid=0"), 90,
    match(message, "visudo|usermod"), 80,
    match(command, "chmod \+s|chown root"), 85,
    true(), 70
  )
| where risk_score >= 70
| stats count min(_time) as first_seen max(_time) as last_seen values(message) as messages values(command) as commands by host, user, process, risk_score
| eval first_seen=strftime(first_seen, "%Y-%m-%dT%H:%M:%SZ"), last_seen=strftime(last_seen, "%Y-%m-%dT%H:%M:%SZ")
| sort - risk_score, - count

sequence by host.name with maxspan=5m
  [process where process.name in ("lshttpd", "lsphp", "lsws_cpanel", "litespeed") and
   (process.args : ("*uid=0*", "*euid=0*", "*suid*") or
    process.executable : ("/usr/local/lsws/*", "/opt/litespeed/*"))]
  [process where process.user.id == "0" and
   process.parent.name in ("lshttpd", "lsphp", "lsws_cpanel", "litespeed",
                           "bash", "sh", "dash") and
   process.name in ("chmod", "chown", "usermod", "visudo", "su", "sudo", "passwd")]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category,
  "Process Name",
  "Command",
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'cPanel', 'Syslog')
  AND (
    ("Process Name" ILIKE '%lshttpd%' OR "Process Name" ILIKE '%lsphp%' OR "Process Name" ILIKE '%lsws_cpanel%' OR "Process Name" ILIKE '%litespeed%')
    AND (
      "Command" ILIKE '%uid=0%' OR "Command" ILIKE '%euid=0%'
      OR "Command" ILIKE '%chmod%' OR "Command" ILIKE '%chown root%'
      OR "Command" ILIKE '%usermod%' OR "Command" ILIKE '%visudo%'
      OR "Command" ILIKE '%privilege%' OR "Command" ILIKE '%escalat%'
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC
LIMIT 500

_sourceCategory=linux/syslog OR _sourceCategory=cpanel/access OR _sourceCategory=linux/audit
| where _raw matches /lshttpd|lsphp|lsws_cpanel|litespeed/
| where _raw matches /uid=0|euid=0|privilege|escalat|chmod.*\+s|chown.*root|usermod|visudo/
| parse regex "(?P<process>lshttpd|lsphp|lsws_cpanel|litespeed)" nodrop
| parse regex "(?P<uid_info>uid=\d+|euid=\d+)" nodrop
| parse regex "(?P<cmd>chmod|chown|usermod|visudo|sudo|su|passwd)" nodrop
| timeslice 5m
| count by _timeslice, _sourceHost, process, uid_info, cmd
| where _count > 0
| sort by _timeslice desc

rule cve_2026_48172_litespeed_privesc {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects LiteSpeed cPanel Plugin privilege escalation CVE-2026-48172"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/"
    yara_version = "YL2.0"
  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path = /\/usr\/local\/lsws|\/opt\/litespeed|\/usr\/local\/cpanel.*litespeed/
    $e2.metadata.event_type = "PROCESS_LAUNCH"
    $e2.target.process.file.full_path = /(chmod|chown|usermod|visudo|passwd|sudo|su)$/
    $e2.target.user.userid = "0"
    $e1.principal.hostname = $e2.principal.hostname
    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_timestamp.seconds - $e1.metadata.event_timestamp.seconds <= 300
  condition:
    $e1 and $e2
}

#event_simpleName=ProcessRollup2
| ImageFileName = /(\/usr\/local\/lsws|\/opt\/litespeed|\/usr\/local\/cpanel.*litespeed|\/usr\/bin\/lsphp|lshttpd|lsws_cpanel)/
| join type=inner (
    #event_simpleName=ProcessRollup2
    | ParentImageFileName = /(\/usr\/local\/lsws|\/opt\/litespeed|lshttpd|lsphp|lsws_cpanel)/
    | ImageFileName = /\/(chmod|chown|usermod|visudo|sudo|su|passwd)$/
    | UserSid = "S-1-0-0" OR UserName = "root"
  )
  on [aid, ParentProcessId]
| eval risk = "CVE-2026-48172 LiteSpeed PrivEsc"
| table timestamp, aid, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, risk
| sort -timestamp