Privilege escalation in LiteSpeed cPanel plugin via redisAble function exploited in the wild

First reported

23.05.2026 10:35

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A maximum-severity (CVSS 10.0) privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin (CVE-2026-48172) is actively exploited to execute arbitrary scripts as the root user. The flaw arises from incorrect privilege assignment in the lsws.redisAble function, enabling any authenticated cPanel user—including attackers or compromised accounts—to gain root-level code execution. The issue affects plugin versions 2.3 through 2.4.4; WHM plugin versions are not impacted. Patches are available in cPanel plugin v2.4.7 (bundled with WHM v5.3.1.0).

Timeline

23.05.2026 10:35 1 articles · 1h ago

LiteSpeed cPanel Plugin CVE-2026-48172 actively exploited for root-level code execution
A maximum-severity privilege escalation in the LiteSpeed User-End cPanel Plugin (CVE-2026-48172) is under active exploitation. The vulnerability stems from improper privilege handling in the lsws.redisAble function, permitting authenticated users to execute arbitrary scripts as root on affected systems running plugin versions 2.3 through 2.4.4. LiteSpeed issued patched versions (cPanel plugin 2.4.7 bundled with WHM plugin 5.3.1.0) and provided a grep-based IOC to identify potential exploitation in cPanel logs.
Show sources

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
Open in new tab

Information Snippets

CVE-2026-48172 (CVSS 10.0) is an incorrect privilege assignment flaw in the LiteSpeed User-End cPanel Plugin affecting versions 2.3 to 2.4.4.
First reported: 23.05.2026 10:35

1 source, 1 article
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
Exploitation leverages the lsws.redisAble function to run arbitrary scripts with root privileges on affected cPanel servers.
First reported: 23.05.2026 10:35

1 source, 1 article
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
Indicators of compromise include log entries matching the regex "cpanel_jsonapi_func=redisAble" in /var/cpanel/logs or /usr/local/cpanel/logs.
First reported: 23.05.2026 10:35

1 source, 1 article
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
LiteSpeed released patched plugin versions: cPanel plugin 2.4.7 (bundled with WHM plugin 5.3.1.0) to remediate CVE-2026-48172 and additional potential vectors identified during review.
First reported: 23.05.2026 10:35

1 source, 1 article
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
Temporary mitigation includes upgrading to cPanel plugin 2.4.7+ or removing the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.
First reported: 23.05.2026 10:35

1 source, 1 article
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35

Summary

Timeline

LiteSpeed cPanel Plugin CVE-2026-48172 actively exploited for root-level code execution

Information Snippets