CVE-2026-48172, assigned a CVSS score of 10.0, is being actively exploited in the wild to allow cPanel users to run arbitrary scripts with root privileges, LiteSpeed confirmed.
CVE-2026-48172: what the flaw does
The vulnerability tracked as CVE-2026-48172 stems from an incorrect privilege assignment in the LiteSpeed User‑End cPanel Plugin that an attacker can abuse to execute arbitrary scripts as root. As LiteSpeed put it, "Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root." The vendor rated the issue maximum severity (CVSS 10.0) and stated the flaw was being actively exploited, while declining to share further operational details about the attacks.
Indicators and immediate detection steps published by LiteSpeed
LiteSpeed published a single, explicit indicator of compromise for operators to search for in local logs:
- grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
According to LiteSpeed, if that command produces no output, the server is not affected. If it does return matches, operators are advised to examine the IP addresses in the list, determine whether they are legitimate, and block them if they are not.
Affected releases, patched releases, and an uninstall option
The flaw affects all versions of the LiteSpeed cPanel user‑end plugin between 2.3 and 2.4.4. LiteSpeed said its WHM plugin is not impacted. The issue was addressed in cPanel plugin version 2.4.5. Following a wider security review of both its cPanel and WHM plugins, LiteSpeed released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0 and said it patched additional potential attack vectors in both plugins.
LiteSpeed's recommended remediation is to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher. For environments where immediate patching is not possible, the vendor published a removal command for the user‑end plugin:
- /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Credit, disclosure posture, and operational context
Security researcher David Strydom is credited with discovering and reporting the flaw. LiteSpeed acknowledged active exploitation but refrained from further operational detail in its advisory. The company also said its post‑disclosure review led to additional patches in both the cPanel and WHM plugins beyond the immediate fix for the lsws.redisAble privilege issue.
What this means for web hosting operators, security teams, and threat actors
- Web hosting operators: Run the provided grep against your /var/cpanel/logs and /usr/local/cpanel/logs paths; if matches appear, validate and block unauthorised IP addresses and prioritize upgrading to cPanel plugin v2.4.7 and WHM plugin 5.3.1.0 when possible.
- Security teams at affected sites: Treat any indicator that matches the grep as a potential full‑root compromise vector and investigate historic logs for signs of exploitation; consider the removal command only if an immediate patch cannot be applied.
- Threat actors and defenders watching the ecosystem: The advisory notes active exploitation, and LiteSpeed's additional patching of potential attack vectors suggests the vendor found other fragile areas during a follow‑up review—both of which will shape attacker choices and defensive priorities.
This development arrives weeks after another critical cPanel vulnerability, CVE-2026-41940 (CVSS score 9.8), was identified as actively exploited by unknown actors to deploy Mirai botnet variants and a ransomware strain called Sorry. LiteSpeed's public advisories leave two concrete steps for operators: search logs for the explicit indicator and apply the available updates (or uninstall the plugin until they can). What remains open is the scale and breadth of the active exploitation—LiteSpeed confirmed activity but declined to publish additional detail—making rapid detection and patching the most actionable next move for affected environments.




