A critical security vulnerability affecting the LiteSpeed User-End cPanel Plugin is currently being actively exploited, according to an official advisory released by LiteSpeed Technologies.
The flaw, identified as CVE-2026-48172, has received the highest possible CVSS severity score of 10.0, highlighting the serious risk it poses to affected systems.
What Is CVE-2026-48172?
The vulnerability stems from an incorrect privilege assignment issue within the LiteSpeed User-End cPanel Plugin. Attackers can exploit the flaw to execute arbitrary scripts with elevated privileges, potentially gaining root-level access to vulnerable servers.
LiteSpeed explained the issue in its advisory:
“Any cPanel user (including an attacker or a compromised account) may exploit the
lsws.redisAblefunction to execute arbitrary scripts as root.”
This means even low-privileged cPanel users could potentially escalate privileges and fully compromise a server.
Affected Versions
The vulnerability impacts LiteSpeed User-End cPanel Plugin versions:
- 2.3
- Through 2.4.4
LiteSpeed confirmed that its WHM plugin is not affected by this specific vulnerability.
The issue has been patched in:
- LiteSpeed User-End cPanel Plugin v2.4.5
- Recommended upgrade package: WHM Plugin v5.3.1.0, which includes cPanel Plugin v2.4.7
Security researcher David Strydom has been credited with discovering and responsibly disclosing the flaw.
Vulnerability Under Active Exploitation
LiteSpeed has warned that the vulnerability is already being actively exploited in real-world attacks. While the company did not provide technical details about the attacks, administrators are strongly urged to patch vulnerable systems immediately.
To help identify possible compromise attempts, LiteSpeed shared the following command:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
How to Interpret the Results
- No output: Your server is likely not affected.
- Any output found: Review the listed IP addresses carefully. If any appear suspicious or unauthorized, block them immediately and investigate further.
Additional Security Hardening Released
Following an internal security review of both its cPanel and WHM plugins, LiteSpeed announced that it has patched several additional potential attack vectors.
The latest recommended release is:
- LiteSpeed WHM Plugin v5.3.1.0
- Bundled with cPanel Plugin v2.4.7 or later
Administrators are strongly encouraged to upgrade as soon as possible.
Temporary Mitigation Option
If immediate patching is not feasible, LiteSpeed recommends uninstalling the vulnerable user-end plugin using the following command:
/ usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
This can help reduce exposure until updates can be safely applied.
Growing Threat Landscape Around cPanel Vulnerabilities
This latest disclosure comes just weeks after another critical cPanel vulnerability, CVE-2026-41940 (CVSS score: 9.8), was reportedly exploited by threat actors to deploy:
- Mirai botnet variants
- A ransomware strain known as Sorry
The incidents highlight the increasing focus cybercriminals are placing on hosting infrastructure and web management platforms.
Final Thoughts
With active exploitation already underway, server administrators using LiteSpeed cPanel plugins should treat this vulnerability as a top-priority security issue.
Immediate patching, log analysis, and access reviews are strongly recommended to prevent unauthorized root-level compromise.
Keeping hosting environments updated and regularly auditing privileged services remains critical in defending against rapidly evolving cyber threats.
