Since the original LiteSpeed cPanel plugin vulnerability was reported, Microsoft has discovered and patched two separate zero-day exploits (previously unknown security flaws) affecting Windows Defender that were already being exploited by attackers in real-world attacks. Microsoft has urged users to update their Defender software immediately to close these security gaps and prevent unauthorized access to their systems.
A security weakness in the LiteSpeed cPanel plugin is being actively exploited by hackers to take control of web servers. The flaw, tracked as CVE-2026-48172, allows attackers to run commands with root access—the highest level of control on a computer. Security researchers have confirmed active attacks against servers worldwide.
The vulnerability exists because the plugin does not properly check permissions before executing code. This means someone outside the server can send specially crafted requests that trick the plugin into running their malicious instructions. Web hosting companies rely on cPanel to manage hundreds or thousands of customer websites, making this plugin a high-value target.
Website owners and hosting companies are at immediate risk. If a hacker gains root access on a server, they can steal customer data, install permanent backdoors that are hard to remove, demand ransom, or replace websites with malicious content. Small and medium-sized hosting providers are particularly vulnerable because they often run older versions of software. Large enterprises that update regularly are less exposed.
LiteSpeed and cPanel have released security patches to fix the flaw. Web hosting companies are being urged to update immediately and review server logs for signs of intrusion. The Cybersecurity and Infrastructure Security Agency, a U.S. government agency that tracks threats, is monitoring the exploitation rate. Server administrators who have not patched should treat their systems as potentially compromised and change all passwords.