CVE-2026-48172 Elastic Security · Elastic

Detect LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) in Elastic Security

Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where process.name in ("lshttpd", "lsphp", "lsws_cpanel", "litespeed") and
   (process.args : ("*uid=0*", "*euid=0*", "*suid*") or
    process.executable : ("/usr/local/lsws/*", "/opt/litespeed/*"))]
  [process where process.user.id == "0" and
   process.parent.name in ("lshttpd", "lsphp", "lsws_cpanel", "litespeed",
                           "bash", "sh", "dash") and
   process.name in ("chmod", "chown", "usermod", "visudo", "su", "sudo", "passwd")]
critical severity high confidence

EQL sequence detection: LiteSpeed process followed within 5 minutes by a root-context privilege modification command spawned from a LiteSpeed or shell parent. Indicates privilege escalation chain consistent with CVE-2026-48172.

Data Sources

Endpoint Process LogsAuditbeatElastic Agent

Required Tables

logs-endpoint.events.process-*auditbeat-*

False Positives & Tuning

  • Authorized LiteSpeed plugin updates run interactively by root administrators
  • Automated WHM tasks that chain LiteSpeed management with system user changes
  • Security tools that exec from LiteSpeed process space during audits

Other platforms for CVE-2026-48172

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate LiteSpeed Plugin Privilege Escalation via SUID Binary Invocation

    Expected signal: Process creation event for /tmp/lsphp with SUID bit set; child process reporting uid=0 or euid=0 in execve audit record.

  2. Test 2LiteSpeed Parent Process Spawning usermod Command

    Expected signal: SecurityEvent/audit log showing useradd/usermod syscall with uid=0, parent process traceable to a litespeed-named process or shell.

  3. Test 3Unauthorized sudoers Entry via LiteSpeed Process Context

    Expected signal: File write to /etc/sudoers.d/ captured in Linux audit log (auditd WRITE syscall on path /etc/sudoers.d/litespeed_test) with triggering process running as UID 0.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48172 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1068Exploitation for Privilege EscalationT1548Abuse Elevation Control MechanismT1505.003Web Shell

Same Tactic: Privilege Escalation

Popular Detections