By A maximum-severity vulnerability in the LiteSpeed User-End cPanel Plugin — CVE-2026-48172, CVSS 10.0 — is being actively exploited in the wild as of this writing. The flaw lets any authenticated cPanel user, including a low-privilege account that was phished or purchased on a dark web forum, execute arbitrary code as root on the underlying server. One API call. No chaining required. Patch is available. If you run LiteSpeed with cPanel, upgrade before you finish reading this.
What Is This Flaw and Why Is It CVSS 10.0
The vulnerability lives inside the lsws.redisAble JSON-API endpoint in the LiteSpeed User-End cPanel Plugin — the component that lets individual cPanel users enable or disable Redis caching on their account. LiteSpeed Technologies confirmed the root cause: incorrect privilege assignment (CWE-266). The function fails to properly enforce privilege boundaries, and the endpoint is exposed to every logged-in cPanel user by default.
Exploitation is straightforward. An attacker sends a single crafted request with cpanel_jsonapi_func=redisAble and specific parameter values. The handler executes the payload as root. No admin credentials, no race condition to win, no multi-step bypass. Versions 2.3 through 2.4.4 of the cPanel plugin are affected. NIST confirmed the CVSS 10.0 rating, and CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog — the government’s shortlist of bugs being actively used in attacks right now.
The Shared Hosting Blast Radius
This is where the threat gets significantly worse than a typical privilege escalation. On a VPS or dedicated server, privilege escalation means an attacker moves from limited user to root on your machine. On shared hosting, it means an attacker with access to any one of potentially dozens or hundreds of co-located cPanel accounts gains root on the entire physical server.
Every tenant on the box is exposed. An attacker who compromises one account — through credential stuffing, a phished hosting login, or credentials purchased on a dark web market — can pivot to root and access every hosted site, every database, every email account, and every stored credential on that server. LiteSpeed powers over 14% of all websites globally. The attack surface is not trivial.
Active Exploitation: What Is Happening Right Now
LiteSpeed Technologies confirmed active exploitation at disclosure on May 23, 2026. Independent security researchers confirmed the same — honeypot data shows automated scanning tools probing for vulnerable installations at scale within 48 hours of public disclosure. This is not a targeted APT campaign. It is opportunistic threat actors running automated scripts against every reachable vulnerable server they can find. Post-exploitation activity observed includes malware persistence, credential harvesting across hosted accounts, and server repurposing for crypto mining or botnet infrastructure.
Fix It: Upgrade to v2.4.7 and WHM Plugin v5.3.1.0
LiteSpeed released the full-security-review patch on May 21, 2026 — two days before public CVE disclosure. The target versions are cPanel plugin v2.4.7 bundled with WHM plugin v5.3.1.0. Earlier builds including v2.4.5 and v2.4.6 address the root CVE but miss additional security hardening from the full review. Go straight to v2.4.7.
Update through WHM: navigate to the LiteSpeed section and trigger the upgrade via the built-in update mechanism, or pull manually from LiteSpeed’s official release log. If you cannot patch immediately because your hosting provider controls plugin versioning, use the emergency uninstall to remove the exposed endpoint:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallThis removes the user-facing cPanel plugin without touching the LiteSpeed web server. Users lose access to LiteSpeed cPanel tuning controls temporarily, but the attack vector is closed.
Check If You Have Already Been Hit
Run this on the server to scan cPanel logs for exploitation indicators:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullNo output: no exploitation detected in logs. Any output requires immediate investigation — review originating IPs, check timestamps, and cross-reference against your cPanel account list. Treat any positive result as a confirmed compromise until proven otherwise. If exploitation is confirmed: isolate the server, rotate all credentials (database passwords, API keys, SSH keys, SMTP credentials), audit all cPanel accounts for unauthorized changes, and check crontabs, systemd unit files, and SSH authorized_keys for persistence mechanisms.
The Hosting Provider Problem
If you are on a managed shared hosting plan, you may not control the LiteSpeed WHM plugin version — that is the provider’s responsibility. Some patched silently and quickly. Others have not communicated anything to customers running on vulnerable servers.
Ask your provider directly: “Have you upgraded the LiteSpeed cPanel plugin to v2.4.7 in response to CVE-2026-48172?” If they don’t know what you are talking about, or if they hedge, that tells you something important about how seriously they take security operations. CVSS 10.0 with confirmed active exploitation is not a situation a competent provider handles with silence.
