The Short Version
- CVE-2026-48172 affects the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4
- CVSS v4.0 score: 10.0 (Maximum) / CVSS v3.1: 9.8 (Critical)
- Any authenticated cPanel user, including on a shared hosting account, can execute arbitrary scripts as root on the underlying server
- Actively exploited in the wild; listed in the CISA Known Exploited Vulnerabilities catalog
- Disclosed May 21, 2026
- Patch: WHM Plugin 5.3.1.0 / cPanel Plugin 2.4.7
- If patching is not immediately possible: uninstall the plugin
- The parent LiteSpeed WHM Plugin is not affected
For any shared hosting provider running LiteSpeed with the cPanel plugin, a customer who signed up yesterday for the cheapest plan can now take over the entire server they sit on. CVE-2026-48172, disclosed May 21, 2026 and actively exploited within hours, lets any authenticated cPanel user execute arbitrary scripts as root on the underlying host. A single compromised tenant compromises every other customer on the same machine.The vulnerability is on the CISA Known Exploited Vulnerabilities catalog with a federal patch deadline of June 16, 2026. Multi-tenant LiteSpeed cPanel operators have less margin than that.
What the Vulnerability Does
The flaw is in the lsws.redisAble function, which handles Redis enable and disable operations inside the plugin. The function can be invoked by any authenticated cPanel user, regardless of privilege level. When called, it executes arbitrary scripts with root-level privileges on the underlying server. A single compromised shared hosting account is sufficient to exploit this and take full control of the host machine, affecting every other customer on the same server.
The CVSS v4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H: network-accessible, no complexity, no special privileges required, no user interaction, full compromise of the target system and downstream systems. The PR:N rating reflects that the attacker needs no admin or elevated role to exploit the flaw. In a shared hosting context, that means any standard cPanel account on the server is sufficient, including the cheapest plan a customer can buy or an account taken over through credential theft.
The flaw was discovered and reported by security researcher David Strydom.
Scope and Patch
Affected versions are LiteSpeed User-End cPanel Plugin 2.3 through 2.4.4. The LiteSpeed WHM Plugin is not affected. LiteSpeed initially released a partial fix in cPanel Plugin v2.4.5, then issued a more complete remediation as WHM Plugin 5.3.1.0 bundled with cPanel Plugin 2.4.7 after reviewing additional attack vectors. Versions 2.4.5 and WHM Plugin 5.2.10 provide partial mitigation only. The fully remediated version is WHM Plugin 5.3.1.0 / cPanel Plugin 2.4.7.
If immediate patching is not possible, the mitigation is to uninstall the vulnerable component entirely:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallTo check whether exploitation has been attempted against a server:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/Exploitation Profile
Active exploitation is being conducted by automated, opportunistic attackers scanning for unpatched LiteSpeed cPanel Plugin installations at scale, deploying ransomware and other malware payloads rather than running targeted intrusions. The window between public disclosure on May 21 and exploitation was effectively zero; scanning began immediately after the advisory. CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities catalog on May 26, 2026. The federal patch deadline of June 16 is the floor, not a target; opportunistic scanning runs continuously.
Five Actions Before June 16
- Patch to WHM Plugin 5.3.1.0 with cPanel Plugin 2.4.7 across every server in the fleet. This is the only complete fix; partial-mitigation versions (2.4.5 / WHM 5.2.10) do not fully remediate.
- If patching cannot happen today, uninstall the User-End cPanel Plugin entirely using the command above. Service degradation from the removed feature is preferable to a full host compromise.
- Grep logs on every affected server for prior exploitation attempts using the detection command above. Treat any hit as an active compromise investigation, not a passive alert.
- Audit the full fleet, not a sample. Automated scanners hit every reachable host; one unpatched server is enough to compromise that machine.
Natalia Nowak
Exploring the web hosting industry through writing - panels, providers, and everything that runs behind the scenes.
Sources
- CVE-2026-48172 - NVD (official)
- Security Update for LiteSpeed cPanel Plugin - LiteSpeed Blog (vendor advisory)
- LiteSpeed cPanel Plugin CVE-2026-48172 - The Hacker News
- CVE-2026-48172 Active Exploitation Alert - Rescana
- Advisory AL-2026-061 - Singapore Cyber Security Agency (official)
- Known Exploited Vulnerabilities Catalog - CISA (official)
- GHSA-fxrh-cwjh-m33v LiteSpeed Plugin Advisory - GitHub