CVE-2026-48172
published 2026-05-21CVE-2026-48172: LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-29
Exploited in the wild
EPSS
18.91%
96.9th percentile
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| litespeed_technologies | cpanel_plugin | >= 2.3 < 2.4.7 | 2.4.7 |
| litespeed_technologies | whm_plugin | < 5.3.1.0 | 5.3.1.0 |
| litespeedtech | litespeed_cpanel_plugin | < 2.4.7 | 2.4.7 |
| litespeedtech | litespeed_whm_plugin | < 5.3.1.0 | 5.3.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null↗
commandgrep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null↗
- →Search cPanel logs for the string 'cpanel_jsonapi_func=redisAble' to identify exploitation attempts of CVE-2026-48172. Any output indicates potential exploitation; examine the associated IP addresses for legitimacy and block suspicious ones. ↗
- →For the follow-on variant (CVE-2026-54420), search cPanel logs for 'cpanel_jsonapi_func=generateEcCert', 'cpanel_jsonapi_func=packageUserSize', or 'cert_action_entry .*geneccert' to identify exploitation attempts. ↗
- →The vulnerability is exploitable by any cPanel user account (including compromised accounts) via the lsws.redisAble function — monitor for unexpected privilege escalation to root originating from cPanel user sessions. ↗
- →Affected plugin versions are 2.3 through 2.4.4; presence of these versions on a server is a risk indicator. The patched minimum recommended version is 2.4.7 (bundled with WHM plugin 5.3.1.0). ↗
- →The vulnerability is related to mishandling of Redis enable/disable features; monitor for anomalous Redis enable/disable API calls via the cPanel JSON API interface. ↗
- ·The NVD advisory and THN report state the fix is in version 2.4.5, while the BleepingComputer/NVD follow-up and THN also reference 2.4.7 (bundled with WHM plugin 5.3.1.0) as the recommended minimum after additional attack vectors were patched. Operators should target 2.4.7 / WHM 5.3.1.0 or higher. ↗
- ·The BleepingComputer 'CISA warns of another' article conflates CVE-2026-48172 with a separate follow-on vulnerability CVE-2026-54420 and references a different detection command. Ensure the correct grep pattern is used for each CVE when performing log triage. ↗
- ·LiteSpeed's WHM plugin itself is NOT impacted by CVE-2026-48172; only the user-end cPanel plugin versions 2.3–2.4.4 are affected. ↗
- ·The vulnerability specifically affects shared hosting servers running CloudLinux/CageFS; environments not using these configurations may have a different risk profile. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
LiteSpeed User-End cPanel Plugin up to 2.4.4 /var/cpanel/logs cpanel_jsonapi_func privileges assignment (EUVD-2026-31204)
vuldb·2026-05-21·CVSS 10.0
CVE-2026-48172 [CRITICAL] LiteSpeed User-End cPanel Plugin up to 2.4.4 /var/cpanel/logs cpanel_jsonapi_func privileges assignment (EUVD-2026-31204)
A vulnerability classified as very critical was found in LiteSpeed User-End cPanel Plugin up to 2.4.4. Affected by this vulnerability is the function cpanel_jsonapi_func of the file /var/cpanel/logs. The manipulation results in incorrect privilege assignment.
This vulnerability is known as CVE-2026-48172. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
GHSA-fxrh-cwjh-m33v: LiteSpeed User-End cPanel Plugin before 2
ghsa_unreviewed·2026-05-21
CVE-2026-48172 [CRITICAL] CWE-266 GHSA-fxrh-cwjh-m33v: LiteSpeed User-End cPanel Plugin before 2
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.
VulnCheck
Incorrect Privilege Assignment
vulncheck·2026·CVSS 10.0
CVE-2026-48172 [CRITICAL] Incorrect Privilege Assignment
Incorrect Privilege Assignment
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Affected: LiteSpeed Technologies cPanel Plugin
Required Actio
CISA
LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
cisa·2026-05-26·CVSS 10.0
CVE-2026-48172 [CRITICAL] CWE-266 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
Vulnerability: LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
Affected: LiteSpeed cPanel Plugin
LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-48172
Remediation Due Date: 2026-05-29
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns of another cPanel plugin flaw exploited in attacks
blogs_bleepingcomputer·2026-06-16·CVSS 9.8
CVE-2026-54420 [CRITICAL] CISA warns of another cPanel plugin flaw exploited in attacks
## CISA warns of another cPanel plugin flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability ( CVE-2026-54420 ) in the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172 , this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
LiteSpeed flagged it as actively exploited in early June and released urgent security updates , warning users to update the cPanel u
Bleepingcomputer
CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
blogs_bleepingcomputer·2026-05-27·CVSS 10.0
CVE-2026-48172 [CRITICAL] CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
## CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks.
Tracked as CVE-2026-48172 , this privilege escalation vulnerability is related to the mishandling of Redis enable/disable features and was found in the lsws.redisAble function.
The vulnerability stems from an incorrect privilege assignment weakness that enables remote attackers with no privileges to execute arbitrary scripts with root privileges.
LiteSpeed released urgent security updates on Thursday to address the flaw, warning users to update the c
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Hackernews
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
blogs_hackernews·2026-05-23·CVSS 10.0
CVE-2026-48172 [CRITICAL] LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.
The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.
"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said .
The vulnerability impacts all versions of the plugin between 2.3 and
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanelhttps://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-loghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48172
2026-05-21
Published
2026-05-26
Added to CISA KEV
Exploited in the wild