CVE-2026-48172 IBM QRadar · QRadar

Detect LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) in IBM QRadar

Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category,
  "Process Name",
  "Command",
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'cPanel', 'Syslog')
  AND (
    ("Process Name" ILIKE '%lshttpd%' OR "Process Name" ILIKE '%lsphp%' OR "Process Name" ILIKE '%lsws_cpanel%' OR "Process Name" ILIKE '%litespeed%')
    AND (
      "Command" ILIKE '%uid=0%' OR "Command" ILIKE '%euid=0%'
      OR "Command" ILIKE '%chmod%' OR "Command" ILIKE '%chown root%'
      OR "Command" ILIKE '%usermod%' OR "Command" ILIKE '%visudo%'
      OR "Command" ILIKE '%privilege%' OR "Command" ILIKE '%escalat%'
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query surfacing LiteSpeed cPanel Plugin processes involved in privilege escalation commands or UID-0 transitions across Linux and cPanel log sources.

Data Sources

Linux OS Log SourcecPanel Log SourceSyslog

Required Tables

events

False Positives & Tuning

  • System administrator manually running LiteSpeed management commands as root
  • cPanel automated provisioning that invokes LiteSpeed under elevated context
  • Patch management systems updating LiteSpeed plugin files with root permissions

Other platforms for CVE-2026-48172

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate LiteSpeed Plugin Privilege Escalation via SUID Binary Invocation

    Expected signal: Process creation event for /tmp/lsphp with SUID bit set; child process reporting uid=0 or euid=0 in execve audit record.

  2. Test 2LiteSpeed Parent Process Spawning usermod Command

    Expected signal: SecurityEvent/audit log showing useradd/usermod syscall with uid=0, parent process traceable to a litespeed-named process or shell.

  3. Test 3Unauthorized sudoers Entry via LiteSpeed Process Context

    Expected signal: File write to /etc/sudoers.d/ captured in Linux audit log (auditd WRITE syscall on path /etc/sudoers.d/litespeed_test) with triggering process running as UID 0.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48172 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1068Exploitation for Privilege EscalationT1548Abuse Elevation Control MechanismT1505.003Web Shell

Same Tactic: Privilege Escalation

Popular Detections