A maximum-severity zero-day vulnerability in LiteSpeed’s User-End cPanel Plugin, tracked as CVE-2026-48172 with a CVSS score of 10.0, is being actively exploited in the wild, allowing any cPanel user to execute arbitrary scripts with root privileges.
LiteSpeed has released an emergency patch, and server administrators are urged to upgrade immediately to WHM Plugin v5.3.1.0, which is bundled with cPanel plugin v2.4.7.
CVE-2026-48172 is a critical incorrect privilege assignment vulnerability (CWE-266) in the LiteSpeed User-End cPanel Plugin, affecting all versions from v2.3 to v2.4.4.
The flaw stems from the mishandling of the Redis turn-on/off feature, specifically, the lsws.redisAble function exposed via the cPanel JSON API. Security researcher David Strydom discovered and responsibly disclosed the vulnerability to LiteSpeed on May 19, 2026.
Critically, LiteSpeed’s parent WHM plugin is not affected by this vulnerability; only the user-end cPanel plugin is impacted. However, given LiteSpeed’s widespread deployment across shared hosting environments globally, the attack surface is enormous, making this a Tier-1 patching priority for every hosting provider and sysadmin running the affected versions.
CVE-2026-48172: LiteSpeed cPanel Vulnerability
At its core, the vulnerability enables privilege escalation to root by exploiting the cpanel_jsonapi_func=redisAble API endpoint. Any authenticated cPanel user, including a malicious tenant on a shared server or an attacker with a compromised low-privilege account, can invoke this function to execute arbitrary scripts with full root-level permissions.
The weakness is classified under CWE-266: Incorrect Privilege Assignment, meaning the plugin failed to enforce proper privilege boundaries when processing Redis state-change requests from unprivileged users.
In a typical shared hosting environment, this means one tenant can silently compromise the entire server, reading, modifying, or deleting data belonging to all other hosted users, injecting backdoors, or pivoting to further attacks.
CVE-2026-48172 was officially registered with MITRE on May 20, 2026, the day after its discovery, underlining the severity and urgency of the disclosure timeline.
LiteSpeed’s incident response and patching timeline unfolded at a rapid pace:
- May 19, 2026: David Strydom reports the vulnerability to LiteSpeed
- May 19, 2026: cPanel (WebPros) pushes an automatic uninstall of the user-end plugin during nightly server updates to prevent further mass exploitation
- May 19, 2026: LiteSpeed releases cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 as an emergency interim patch
- May 20, 2026: LiteSpeed applies for the CVE assignment; NVD publishes the record
- May 21, 2026: After completing a full security audit of both plugins, LiteSpeed releases cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 as the definitive patched build
The fact that cPanel’s own security team took the drastic step of auto-removing the plugin during routine nightly updates signals just how seriously this vulnerability was treated at the infrastructure level.
NVD and LiteSpeed both recommend the following Bash command to check for exploitation indicators in cPanel log directories:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null- No output = No exploitation detected on your server
- Output present = Review the listed IP addresses immediately, block any unauthorized sources, and audit system logs for all actions taken by those IPs
Additionally, administrators should inspect their systems for unexpected privileged user accounts, new SSH keys, suspicious cron entries, modified binaries, or unusual outbound connections, all common signs of post-exploitation root activity.
Patch and Mitigation
LiteSpeed strongly recommends the following remediation steps:
- Upgrade immediately to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7 or higher)
- Run the detection command above to check for prior exploitation in your log files
- Block unauthorized IPs found in log output and rotate any potentially exposed credentials, API keys, and database passwords.
- If an immediate upgrade is not possible, remove the vulnerable user-end plugin using:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallLiteSpeed also conducted a proactive, comprehensive security review of both the cPanel and WHM plugins after the initial report, identifying and patching additional potential attack vectors in v2.4.7/v5.3.1.0. However, none of these secondary findings have been reported to have been exploited.
FAQ
Q1: Is the LiteSpeed WHM plugin affected by CVE-2026-48172?
No, only the user-end cPanel plugin (v2.3 to v2.4.4) is impacted; the WHM plugin is not vulnerable.
Q2: What is the safest version to upgrade to right now?
Upgrade to LiteSpeed WHM Plugin v5.3.1.0 bundled with cPanel plugin v2.4.7 or higher.
Q3: Can attackers exploit this without admin credentials?
Yes, any authenticated cPanel user, including low-privileged tenants, can exploit this to gain full root access.
Q4: Did cPanel automatically remove the vulnerable plugin from servers?
Yes, cPanel (WebPros) automatically uninstalled the user-end plugin during nightly updates on May 19, 2026, to contain exploitation.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
