CVE-2026-48172 CrowdStrike LogScale · LogScale

Detect LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) in CrowdStrike LogScale

Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(\/usr\/local\/lsws|\/opt\/litespeed|\/usr\/local\/cpanel.*litespeed|\/usr\/bin\/lsphp|lshttpd|lsws_cpanel)/
| join type=inner (
    #event_simpleName=ProcessRollup2
    | ParentImageFileName = /(\/usr\/local\/lsws|\/opt\/litespeed|lshttpd|lsphp|lsws_cpanel)/
    | ImageFileName = /\/(chmod|chown|usermod|visudo|sudo|su|passwd)$/
    | UserSid = "S-1-0-0" OR UserName = "root"
  )
  on [aid, ParentProcessId]
| eval risk = "CVE-2026-48172 LiteSpeed PrivEsc"
| table timestamp, aid, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, risk
| sort -timestamp
critical severity high confidence

CrowdStrike Falcon CQL hunting query joining LiteSpeed parent processes with child privilege-escalation commands running as root. Surfaces exploitation chains consistent with CVE-2026-48172.

Data Sources

CrowdStrike Falcon Endpoint ActivityProcessRollup2 Events

Required Tables

ProcessRollup2

False Positives & Tuning

  • LiteSpeed managed updates deployed by CrowdStrike-exempted admin accounts
  • WHM auto-installer spawning LiteSpeed setup with elevated rights during onboarding
  • Hosting platform automation that runs privilege commands under LiteSpeed process tree

Other platforms for CVE-2026-48172

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate LiteSpeed Plugin Privilege Escalation via SUID Binary Invocation

    Expected signal: Process creation event for /tmp/lsphp with SUID bit set; child process reporting uid=0 or euid=0 in execve audit record.

  2. Test 2LiteSpeed Parent Process Spawning usermod Command

    Expected signal: SecurityEvent/audit log showing useradd/usermod syscall with uid=0, parent process traceable to a litespeed-named process or shell.

  3. Test 3Unauthorized sudoers Entry via LiteSpeed Process Context

    Expected signal: File write to /etc/sudoers.d/ captured in Linux audit log (auditd WRITE syscall on path /etc/sudoers.d/litespeed_test) with triggering process running as UID 0.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48172 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1068Exploitation for Privilege EscalationT1548Abuse Elevation Control MechanismT1505.003Web Shell

Same Tactic: Privilege Escalation

Popular Detections