CVE-2026-48172: exploited LiteSpeed cPanel plugin bug lets any tenant reach root

critical

CVE

CVE-2026-48172

CWE

CWE-266

Affected Surface

LiteSpeed User-End cPanel Plugin 2.3 through 2.4.4, LiteSpeed cPanel plugin before 2.4.7, LiteSpeed WHM Plugin before 5.3.1.0 when bundling the affected user-end plugin, Shared cPanel Linux hosting servers running the LiteSpeed user-end plugin

CVE-2026-48172 is a hosting-control-plane break, not a routine web plugin bug. LiteSpeed disclosed that the User-End cPanel Plugin versions 2.3 through 2.4.4 expose a privilege-escalation path in the lsws.redisAble function, and CISA added the CVE to the Known Exploited Vulnerabilities catalog on 26 May after evidence of active exploitation.

The impact is severe because the vulnerable component is designed for ordinary cPanel users. On a shared-hosting server, a tenant account can interact with the user-end plugin from the cPanel interface. If that account is malicious, compromised, phished, or resold, the vulnerability can move execution from that tenant boundary to scripts running as root on the underlying Linux host.

Vulnerable path

The exposed attack surface is the plugin’s Redis enable/disable workflow. Public indicators and the vendor advisory identify the vulnerable JSON API function as:

lsws.redisAble

Requests leave a cPanel log footprint containing:

cpanel_jsonapi_func=redisAble

That is the critical boundary failure. Redis management is a privileged server operation, but the user-end plugin accepted input from a cPanel account and routed it into a privileged backend path without preserving the tenant-to-root boundary. In CWE terms, the bug is incorrect privilege assignment: a user-facing action could cause privileged script execution.

The parent WHM plugin was initially described as not directly vulnerable to this original issue, but the safest fixed deployment target is now the WHM plugin release that bundles the hardened user-end component. LiteSpeed’s follow-up security review shipped cPanel plugin 2.4.7 bundled with WHM plugin 5.3.1.0; administrators should skip partial fixes and deploy that release line or later.

Why this is urgent

Shared cPanel hosts are high-blast-radius targets. One exploited tenant can expose:

• Other customers’ website files and application secrets.
• Local database credentials stored in application config files.
• SSH keys and deployment tokens present on the host.
• Cron jobs, web shells, persistence units, and malware running as root.

The CVSS v4 vector published for the CVE is maximum severity, and CISA’s KEV deadline is unusually short. That matches the operational risk: the exploit primitive is a cPanel API call, not a complex memory-corruption chain.

Detection

Run LiteSpeed’s cPanel log check on every affected host:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

No output only means this specific indicator did not appear in the searched logs. Any output should be treated as a potential exploitation event. Extract the source IPs, correlate them with cPanel account activity, and review system logs for follow-on actions by those IPs or accounts, especially root-owned files created near the request time.

For exposed systems, also review:

• New or modified files under hosted web roots.
• Unexpected root cron entries, systemd units, and shell profiles.
• Recently added SSH authorized keys.
• Suspicious binaries under /tmp, /var/tmp, and customer home directories.
• Database password, API token, and deployment key access from affected accounts.

Remediation

Upgrade to LiteSpeed WHM Plugin 5.3.1.0 or later, which bundles cPanel plugin 2.4.7 or later. If an immediate upgrade is not possible, remove the user-end plugin until a fixed version is deployed:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

After patching, do not stop at version verification. Because the flaw was exploited in the wild before the KEV listing, incident response should assume a vulnerable host may already have been touched. Rotate credentials exposed to any suspicious tenant account, rebuild from trusted images if root compromise is plausible, and restrict cPanel and WHM access to trusted networks wherever operations allow it.

References

• LiteSpeed: Security Update for LiteSpeed cPanel Plugin
• CISA KEV: CVE-2026-48172
• NVD: CVE-2026-48172
• BleepingComputer: CISA gives feds four days to patch LiteSpeed cPanel flaw
• Maxinames: LiteSpeed cPanel/WHM plugins any-user-to-root analysis
• LiteSpeed control panel plugin release log