Detect LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) in Microsoft Sentinel
Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
KQL Detection Query
let LiteSpeedPaths = dynamic(['/usr/local/lsws', '/opt/litespeed', '/usr/local/cpanel/whostmgr/docroot/cgi/litespeed']);
let SuspiciousCommands = dynamic(['chmod', 'chown', 'sudo', 'su', 'usermod', 'passwd', 'visudo', 'crontab']);
union isfuzzy=true
(
Syslog
| where ProcessName in~ ('lsphp', 'lshttpd', 'litespeed', 'lsws_cpanel')
| where SyslogMessage has_any ('privilege', 'escalat', 'root', 'uid=0', 'euid=0', 'suid')
| extend EventType = 'SyslogPrivilegeEscalation'
),
(
SecurityEvent
| where EventID in (4688, 4672, 4728, 4732)
| where NewProcessName has_any (LiteSpeedPaths) or ParentProcessName has_any (LiteSpeedPaths)
| extend EventType = 'WindowsProcessPrivilege'
),
(
AuditLogs
| where OperationName has_any ('litespeed', 'cpanel')
| where ResultDescription has_any ('privilege', 'escalation', 'root access')
| extend EventType = 'AuditPrivilegeChange'
)
| project TimeGenerated, EventType, Computer, AccountName = coalesce(AccountName, tostring(TargetAccount)), ProcessName = coalesce(ProcessName, NewProcessName), CommandLine = coalesce(SyslogMessage, CommandLine), _ResourceId
| extend RiskScore = case(
CommandLine has 'uid=0', 90,
CommandLine has 'euid=0', 90,
CommandLine has_any ('visudo', 'usermod'), 80,
CommandLine has_any ('chmod +s', 'chown root'), 85,
70
)
| where RiskScore >= 70
| order by TimeGenerated descDetects LiteSpeed cPanel Plugin processes spawning with elevated privileges or executing privilege-escalation commands on Linux/cPanel hosts. Correlates syslog, security events, and audit logs for evidence of CVE-2026-48172 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- LiteSpeed administrative tasks performed by legitimate sysadmins during maintenance windows
- Automated cPanel plugin updates that temporarily run as root
- Hosting provider provisioning scripts that invoke LiteSpeed with elevated context
- Monitoring agents that inspect LiteSpeed process state and trigger audit events
Other platforms for CVE-2026-48172
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate LiteSpeed Plugin Privilege Escalation via SUID Binary Invocation
Expected signal: Process creation event for /tmp/lsphp with SUID bit set; child process reporting uid=0 or euid=0 in execve audit record.
- Test 2LiteSpeed Parent Process Spawning usermod Command
Expected signal: SecurityEvent/audit log showing useradd/usermod syscall with uid=0, parent process traceable to a litespeed-named process or shell.
- Test 3Unauthorized sudoers Entry via LiteSpeed Process Context
Expected signal: File write to /etc/sudoers.d/ captured in Linux audit log (auditd WRITE syscall on path /etc/sudoers.d/litespeed_test) with triggering process running as UID 0.
Unlock Pro Content
Get the full detection package for CVE-2026-48172 including response playbook, investigation guide, and atomic red team tests.