CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Under Active Exploitation

CVE-2026-48172 is a critical (CVSS: 9.8) privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin that lets any cPanel user execute arbitrary scripts as root. It's been exploited in the wild as a zero-day, CISA added it to the Known Exploited Vulnerabilities catalog on May 26, 2026, and patches are available. If you run LiteSpeed Web Server with the user-end cPanel plugin, upgrade to cPanel plugin v2.4.7 bundled with WHM plugin v5.3.1.0 immediately. If you can't patch right now, uninstall the plugin.

What is CVE-2026-48172?

CVE-2026-48172 is a privilege escalation flaw in the LiteSpeed User-End cPanel Plugin, classified as CWE-266: Incorrect Privilege Assignment. The vulnerability lives in the plugin's Redis enable and disable feature, which is meant to let cPanel users toggle Redis caching for their own accounts. The plugin mishandles how those toggle requests are authorized.

By sending crafted JSON API requests to the lsws.redisAble function (visible in logs as cpanel_jsonapi_func=redisAble), an authenticated cPanel user can break out of the normal privilege boundary and execute arbitrary scripts as root. The flaw turns a feature designed for a single tenant's caching configuration into a direct path to full server takeover.

Security researcher David Strydom reported the issue to LiteSpeed on May 19, 2026. LiteSpeed published its security advisory two days later. LiteSpeed's WHM Plugin, the administrator-facing parent plugin, isn't affected by the actively exploited flaw.

What products and versions are affected?

The following are affected:

• LiteSpeed User-End cPanel Plugin: all versions before 2.4.7
• LiteSpeed WHM Plugin: all versions before 5.3.1.0

The active exploitation in the wild targets a Redis enable/disable flaw in the user-end cPanel plugin specifically, in versions 2.3 through 2.4.4. A subsequent proactive security review patched additional potential attack vectors in both plugins, and NVD's CPE configuration for CVE-2026-48172 now covers all versions of both plugins before 2.4.7 and 5.3.1.0 respectively. NVD lists 2.4.7 as the recommended minimum version.

The vulnerable plugin runs on servers using LiteSpeed Web Server with cPanel as the hosting control panel. LiteSpeed is one of the most widely deployed commercial web servers in the shared hosting market, and the cPanel plugin is the standard way customer-facing accounts interact with it. Exposure concentrates in shared hosting providers, MSPs, and agencies that let third parties manage their own sites through cPanel.

If you're a hosting provider, every tenant on an unpatched server is a potential exploitation origin. If you're a customer of a shared hosting provider, your single account is sitting on the same kernel as every other account on that box. A compromise of one cPanel user becomes a compromise of every site on the server.

How severe is it?

CVE-2026-48172 carries a CVSS 3.1 base score of 9.8 (Critical) per NVD, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The score reflects trivial exploitation, no user interaction, and full root compromise of the host along with impact on neighboring tenants.

The CVSS vector's PR:N (privileges required: none) deserves a quick word, since the LiteSpeed advisory describes exploitation as requiring an authenticated cPanel user. The framing reflects how easy it is to get that authentication in practice. cPanel accounts are routinely provisioned to end customers and resellers, often with weak passwords and no MFA enforcement. A compromised hosting account, whether obtained through phishing, credential reuse, or an unrelated web app vulnerability, is enough to pivot to full root.

CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, with a remediation deadline of May 29, 2026 for federal agencies under Binding Operational Directive 22-01. A three-day window is unusually short and signals confirmed, ongoing exploitation.

Has this been exploited in the wild?

Yes. LiteSpeed has confirmed that CVE-2026-48172 was exploited as a zero-day before the patch was available. The company hasn't shared details on attacker identity, exploitation volume, or specific payloads.

The disclosure timeline gives some sense of how seriously the vendor and the cPanel team treated it:

• May 19, 2026: LiteSpeed is alerted to the original issue. cPanel pushes an automatic uninstall of the vulnerable user-end plugin through its nightly update process. LiteSpeed releases cPanel plugin v2.4.6 bundled with WHM plugin v5.3.0.0.
• May 20, 2026: LiteSpeed applies for a CVE assignment. The CVE is published the same day.
• May 21, 2026: LiteSpeed completes a broader proactive security review with the cPanel/WebPros team and releases cPanel plugin v2.4.7 bundled with WHM plugin v5.3.1.0, which includes additional hardening beyond the original fix.
• May 26, 2026: CISA adds CVE-2026-48172 to the KEV catalog.

cPanel's automatic uninstall of the vulnerable plugin during the May 19 nightly update is a notable mitigation: many cPanel installations were protected before most administrators even saw the advisory. If you run cPanel with automatic updates enabled, you may already be uninstalled by default. Confirm before assuming.

Are patches available?

Yes. LiteSpeed has released two patched versions:

• cPanel plugin v2.4.5 first contained the fix for the actively exploited Redis flaw.
• cPanel plugin v2.4.7 bundled with WHM plugin v5.3.1.0 (released May 21, 2026) includes additional hardening from the full security review LiteSpeed conducted with the cPanel/WebPros team. NVD lists 2.4.7 (and 5.3.1.0 for WHM) as the recommended minimum versions.

Both versions close the actively exploited issue. The v2.4.7 release adds extra defense against other potential attack vectors uncovered during the review, none of which have been observed in exploitation. We recommend going straight to v2.4.7 to avoid a second patch cycle.

What should you do right now?

1. Patch immediately. Upgrade to cPanel plugin v2.4.7 bundled with WHM plugin v5.3.1.0 or higher. If you've already upgraded to v2.4.5 or v2.4.6, you've closed the actively exploited issue, but v2.4.7 patches additional attack surface uncovered during LiteSpeed's follow-up review.
2. Check for exploitation attempts. Run this command on every affected server:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

No output means no exploitation attempts hit this server. If you see output, examine the source IPs, block any that aren't legitimate, and review system logs for actions taken by those IPs.

3. Uninstall the plugin if you can't patch immediately:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

The vulnerability is in the plugin itself. Removing it removes the attack path entirely. You can reinstall once you're on a patched version.

4. Hunt for post-exploitation activity. Because this CVE delivers root, treat any confirmed compromise as a full server takeover. Look for unauthorized user accounts, modified system binaries, new cron jobs, suspicious systemd services, persistence mechanisms in /etc/rc.local or shell startup files, and unusual outbound traffic. On a multi-tenant hosting server, expand the search to every tenant's home directory.
5. Rotate credentials on any compromised systems, including SSH keys, API tokens, database credentials accessible from the host, and any service account credentials stored on the box. Root access means everything on the server was readable.
6. Notify your tenants if you're a hosting provider. Customers on a compromised server should be told their data and credentials may have been accessed, even if their individual account wasn't the entry point.

How Halo Security can help

Halo Security customers can identify every cPanel-running asset across their attack surface today using Technology Scanning. Our agentless discovery continuously fingerprints the technologies on every internet-facing host we find, and the Technology list filter lets you pull up every cPanel deployment in seconds. That answer to "where do we even have cPanel?" is the first thing you need before you can patch.

We're investigating detection for CVE-2026-48172 specifically. For hosting providers and MSPs managing large fleets of cPanel servers, continuous discovery matters as much as scanning. New servers come online constantly. A new acquisition, a forgotten staging environment, or a customer-managed VPS can all introduce vulnerable plugin versions. Continuous attack surface monitoring keeps the inventory accurate without manual asset tracking.

FAQ

We're here to help

Want to know where you're exposed to CVE-2026-48172 across your attack surface? Halo Security's external vulnerability management platform helps you find every cPanel-running asset in your environment and stay ahead of newly exploited CVEs as they're cataloged.