cbcvebase.
CVE-2026-48172
published 2026-05-21

CVE-2026-48172: LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-29
Exploited in the wild
EPSS
18.91%
96.9th percentile
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

Affected

4 ranges
VendorProductVersion rangeFixed in
litespeed_technologiescpanel_plugin>= 2.3 < 2.4.72.4.7
litespeed_technologieswhm_plugin< 5.3.1.05.3.1.0
litespeedtechlitespeed_cpanel_plugin< 2.4.72.4.7
litespeedtechlitespeed_whm_plugin< 5.3.1.05.3.1.0

Detection & IOCsextracted from sources · hover to see the quote

commandgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
commandgrep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
processlsws.redisAble
command/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
path/var/cpanel/logs
path/usr/local/cpanel/logs/
  • Search cPanel logs for the string 'cpanel_jsonapi_func=redisAble' to identify exploitation attempts of CVE-2026-48172. Any output indicates potential exploitation; examine the associated IP addresses for legitimacy and block suspicious ones.
  • For the follow-on variant (CVE-2026-54420), search cPanel logs for 'cpanel_jsonapi_func=generateEcCert', 'cpanel_jsonapi_func=packageUserSize', or 'cert_action_entry .*geneccert' to identify exploitation attempts.
  • The vulnerability is exploitable by any cPanel user account (including compromised accounts) via the lsws.redisAble function — monitor for unexpected privilege escalation to root originating from cPanel user sessions.
  • Affected plugin versions are 2.3 through 2.4.4; presence of these versions on a server is a risk indicator. The patched minimum recommended version is 2.4.7 (bundled with WHM plugin 5.3.1.0).
  • The vulnerability is related to mishandling of Redis enable/disable features; monitor for anomalous Redis enable/disable API calls via the cPanel JSON API interface.
  • ·The NVD advisory and THN report state the fix is in version 2.4.5, while the BleepingComputer/NVD follow-up and THN also reference 2.4.7 (bundled with WHM plugin 5.3.1.0) as the recommended minimum after additional attack vectors were patched. Operators should target 2.4.7 / WHM 5.3.1.0 or higher.
  • ·The BleepingComputer 'CISA warns of another' article conflates CVE-2026-48172 with a separate follow-on vulnerability CVE-2026-54420 and references a different detection command. Ensure the correct grep pattern is used for each CVE when performing log triage.
  • ·LiteSpeed's WHM plugin itself is NOT impacted by CVE-2026-48172; only the user-end cPanel plugin versions 2.3–2.4.4 are affected.
  • ·The vulnerability specifically affects shared hosting servers running CloudLinux/CageFS; environments not using these configurations may have a different risk profile.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.