A severe security flaw in the LiteSpeed User-End cPanel Plugin is currently being actively exploited. Identified as CVE-2026-48172 with a maximum CVSS score of 10.0, this vulnerability arises from improper privilege assignment, allowing attackers to execute arbitrary scripts with root-level permissions.
LiteSpeed has stated that “any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root.” This issue affects plugin versions from 2.3 to 2.4.4, while the WHM plugin remains unaffected. The vulnerability has been addressed in version 2.4.5, with security researcher David Strydom credited for its discovery.
To determine if a server has been compromised, administrators can run the following command:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
If this command returns no output, the server is likely unaffected. However, if there is output, it’s crucial to review the listed IP addresses and block any that are unauthorized.
In response to this vulnerability, LiteSpeed has conducted a comprehensive security review of its cPanel and WHM plugins, patching additional potential attack vectors. They have released cPanel plugin version 2.4.7, bundled with WHM plugin version 5.3.1.0. Users are strongly advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which includes cPanel plugin v2.4.7 or higher. If immediate patching isn’t feasible, it’s recommended to uninstall the user-end plugin using the following command:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
This development follows closely on the heels of another critical cPanel vulnerability, CVE-2026-41940, which was recently exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.
Given the active exploitation of CVE-2026-48172, it’s imperative for administrators to promptly update their LiteSpeed cPanel plugins or take mitigating actions to safeguard their systems. This incident underscores the importance of regular software updates and vigilant monitoring to protect against emerging threats.
Source: The Hacker News
