Detect LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) in Google Chronicle
Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_48172_litespeed_privesc {
meta:
author = "df00tech Detection Engineering"
description = "Detects LiteSpeed cPanel Plugin privilege escalation CVE-2026-48172"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/"
yara_version = "YL2.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /\/usr\/local\/lsws|\/opt\/litespeed|\/usr\/local\/cpanel.*litespeed/
$e2.metadata.event_type = "PROCESS_LAUNCH"
$e2.target.process.file.full_path = /(chmod|chown|usermod|visudo|passwd|sudo|su)$/
$e2.target.user.userid = "0"
$e1.principal.hostname = $e2.principal.hostname
$e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds
$e2.metadata.event_timestamp.seconds - $e1.metadata.event_timestamp.seconds <= 300
condition:
$e1 and $e2
}Chronicle YARA-L rule detecting LiteSpeed cPanel Plugin (CVE-2026-48172) exploitation: a LiteSpeed process followed within 5 minutes by a root-context privilege modification command on the same host.
Data Sources
Required Tables
False Positives & Tuning
- LiteSpeed plugin upgrades executed by hosting administrators in a maintenance window
- Automated cPanel provisioning that chains LiteSpeed setup with user management
- Security baselines tools auditing LiteSpeed file permissions as root
Other platforms for CVE-2026-48172
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate LiteSpeed Plugin Privilege Escalation via SUID Binary Invocation
Expected signal: Process creation event for /tmp/lsphp with SUID bit set; child process reporting uid=0 or euid=0 in execve audit record.
- Test 2LiteSpeed Parent Process Spawning usermod Command
Expected signal: SecurityEvent/audit log showing useradd/usermod syscall with uid=0, parent process traceable to a litespeed-named process or shell.
- Test 3Unauthorized sudoers Entry via LiteSpeed Process Context
Expected signal: File write to /etc/sudoers.d/ captured in Linux audit log (auditd WRITE syscall on path /etc/sudoers.d/litespeed_test) with triggering process running as UID 0.
Unlock Pro Content
Get the full detection package for CVE-2026-48172 including response playbook, investigation guide, and atomic red team tests.