CVE-2026-48172: CVSS 10.0 LiteSpeed cPanel Plugin Flaw Under Active Exploitation Lets Any cPanel User Execute Arbitrary Scripts as Root

What happened

LiteSpeed Technologies disclosed CVE-2026-48172, a maximum-severity privilege assignment flaw in the LiteSpeed User-End cPanel Plugin, and confirmed in the same advisory that the vulnerability is actively being exploited in the wild. The flaw carries a CVSS score of 10.0 and affects every version of the plugin between 2.3 and 2.4.4. The LiteSpeed WHM plugin is not impacted.

The vulnerability was discovered and responsibly reported by security researcher David Strydom. The root cause is incorrect privilege assignment in the lsws.redisAble function, which is exposed through the cPanel JSON API. The function can be called by any cPanel user on the system, including an attacker holding a compromised or low-privilege hosting account, to execute arbitrary scripts with root-level permissions. The path to root requires no authentication beyond having any valid cPanel account on the affected server.

LiteSpeed did not provide detailed technical specifics about the ongoing exploitation activity beyond confirming that it is occurring. The vendor provided an indicator of compromise command that administrators can run to check whether their servers have been targeted:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If this command produces no output, the server has not been hit through this specific vector. Any output from the command should be treated as a potential compromise indicator. Administrators who see results are advised to examine the associated IP addresses, determine whether they represent legitimate management activity, and if not, block them immediately and begin an incident response investigation.

Following the initial disclosure, LiteSpeed conducted a broader security review of both its cPanel and WHM plugins. That review identified additional potential attack vectors in both plugins, which have been addressed in an updated release. The cPanel plugin has been updated to version 2.4.7, which is bundled with WHM plugin version 5.3.1.0.

The disclosure arrives weeks after CVE-2026-41940, a critical CVSS 9.8 cPanel authentication bypass flaw that was already under active exploitation before it was patched on April 29, 2026. That vulnerability, a CRLF injection in the cpsrvd daemon, allowed unauthenticated attackers to inject session properties including user=root and gain administrative access. It had been exploited as a zero-day for at least 30 days before the patch arrived, and was subsequently weaponized by an unknown APT targeting government and military networks in Southeast Asia. The current LiteSpeed vulnerability represents a second major root-level exploitation path for servers running cPanel within a matter of weeks.

Who is affected

Any server running the LiteSpeed User-End cPanel Plugin at versions 2.3 through 2.4.4 is affected. Given that cPanel is one of the most widely deployed web hosting control panels in the world, and LiteSpeed is a common alternative to Apache on shared hosting environments, the potential attack surface is meaningful.

The LiteSpeed WHM plugin does not share this vulnerability. Server-level installations using only the WHM plugin without the user-end cPanel plugin are not affected by this specific flaw, though LiteSpeed's subsequent review identified additional hardening opportunities in the WHM plugin that have been addressed in version 5.3.1.0.

The confirmed active exploitation means that servers in this version range should be treated as potentially compromised even if no specific indicators have been found yet. The absence of log entries matching the indicator of compromise query reduces the likelihood but does not eliminate it entirely, as sophisticated post-exploitation activity may have covered some evidence.

Risk level

Critical

A CVSS 10.0 flaw that grants root access from any valid cPanel account on a shared hosting server is maximally severe. In a typical shared hosting environment, there can be hundreds or thousands of cPanel accounts on a single server. Any one of them, if accessible to an attacker through credential theft, phishing, brute force, or prior exploitation, becomes a viable starting point for achieving root. Root access on a shared hosting server grants access to every hosted website, every database, every email account, every customer's files, and the ability to establish persistent backdoor access that survives cPanel and LiteSpeed updates.

The timing of this disclosure relative to CVE-2026-41940 is significant. Attackers who gained access to cPanel servers through the earlier authentication bypass now have a direct escalation path to root through the LiteSpeed plugin on servers where it is installed. The two vulnerabilities can function as a chain: use CVE-2026-41940 to authenticate as an arbitrary cPanel user, then use CVE-2026-48172 to escalate to root.

What to do

The immediate priority is upgrading to a fixed version of the LiteSpeed cPanel plugin:

1. Upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which bundles cPanel plugin version 2.4.7. This is the recommended update path as it includes both the CVE-2026-48172 fix and the additional hardening identified during LiteSpeed's subsequent security review
2. If immediate patching is not possible, remove the user-end plugin entirely as a temporary mitigation by running: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
3. Run the indicator of compromise check against your logs: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
4. Any IP addresses appearing in those results that cannot be confirmed as legitimate management activity should be blocked and investigated as potential attack sources
5. Review your server's root-level activity since the vulnerability became exploitable (all versions between 2.3 and 2.4.4) for unexpected user account creation, cron job modifications, file system changes in system directories, and new SSH authorized_keys entries
6. Servers that were previously running unpatched versions of the CVE-2026-41940 cPanel flaw should be treated as particularly high-risk and subject to a more thorough integrity review, given the potential for chained exploitation

Analysis

The LiteSpeed cPanel plugin occupies an interesting position in the attack surface of shared hosting infrastructure. Because cPanel is a near-universal control panel in the web hosting industry, and because LiteSpeed is deployed across a substantial portion of that infrastructure as a performance-focused web server alternative, a privilege escalation in the LiteSpeed cPanel integration reaches a large number of servers that share a common administrative model. Each of those servers may host hundreds of customer accounts, making the blast radius per compromised server considerably larger than a standard single-tenant system compromise.

The incorrect privilege assignment root cause is a category of error that is straightforward to understand but can be difficult to catch during development: a function that was intended to be called only by administrators was exposed through the cPanel API in a way that allowed any authenticated cPanel user to invoke it. The cPanel JSON API provides a convenient integration surface for plugins, but that convenience comes with the responsibility of correctly validating the caller's privilege level before executing any sensitive operation. In this case, that validation was absent.

The active exploitation confirmation from LiteSpeed without accompanying details about the scope or nature of the attacks is worth noting. Vendors disclosing active exploitation without technical specifics about the observed attack patterns make it more difficult for defenders to search for targeted compromise evidence beyond the generic indicator of compromise query provided. Administrators should not interpret the lack of detail as an indication that exploitation is limited or low-sophistication. The combination of a publicly known CVSS 10.0 vector and confirmed exploitation in the wild creates conditions where automated scanning and opportunistic exploitation are both likely already underway.

Given that this is the second major cPanel ecosystem vulnerability under active exploitation within a month, hosting providers and managed service providers with cPanel infrastructure should be treating this as an urgent patching event and reviewing their shared hosting servers for signs of post-exploitation activity going back to the point when CVE-2026-41940 was first exploited.