Back to Blog
Cybersecurity May 25, 2026 5 min read

CVE-2026-48172 (CVSS 10.0): LiteSpeed cPanel Plugin Actively Exploited — Any User Can Run Scripts as Root

A maximum-severity privilege escalation in the LiteSpeed User-End cPanel Plugin (versions 2.3–2.4.4) is under active mass exploitation. Any low-privilege cPanel account can execute arbitrary scripts as root via the Redis enable/disable workflow. Patch to LiteSpeed WHM Plugin 5.3.1.0 immediately.

CVE-2026-48172 (CVSS 10.0): LiteSpeed cPanel Plugin Actively Exploited — Any User Can Run Scripts as Root

CVE-2026-48172 is a CVSS 10.0 privilege escalation in the LiteSpeed User-End cPanel Plugin affecting versions 2.3 through 2.4.4. It is under active mass exploitation as of May 23, 2026. Any authenticated cPanel user — including a low-privilege shared hosting account — can invoke the vulnerable lsws.redisAble function to execute arbitrary scripts as root on the host. Exploitation is currently opportunistic and automated.

The root cause is broken privilege handling in the Redis enable/disable workflow. The plugin exposes a WHM-level action (lsws.redisAble) to cPanel users without enforcing the privilege boundary between user-space and server-level operations. An attacker with any valid cPanel login — or a compromised application with file system access — can trigger the function, pass a crafted script path, and achieve root-level remote code execution on the underlying server.

The blast radius is significant. LiteSpeed is the default web server for millions of shared hosting environments and VPS instances managed through cPanel/WHM. Entire server populations are affected — not just the vulnerable account. A single compromised low-privilege tenant in a multi-tenant environment can root the host and affect every other account on the machine.

Affected versions: LiteSpeed User-End cPanel Plugin 2.3 – 2.4.4 (bundled in LiteSpeed WHM Plugin prior to 5.3.1.0).

Fixed in: LiteSpeed WHM Plugin 5.3.1.0, which includes cPanel Plugin 2.4.7 or higher. Update via the LiteSpeed WHM dashboard or run:

/usr/local/cpanel/scripts/update_local_rpm_versions --override LiteSpeed

If you cannot patch immediately:

  • Disable the LiteSpeed Redis integration in WHM until the plugin is updated.
  • Audit cPanel user logs for unexpected invocations of lsws.redisAble.
  • Review /tmp, /var/tmp, and cron jobs for dropped scripts owned by root.

The Hacker News and security researchers first flagged active exploitation on May 23. Automated scanning tools are probing for vulnerable hosts across the public internet. This is not a theoretical risk — honeypots are already seeing exploitation attempts.

Any web application hosted in this environment is at full OS-level risk even if the application itself is secure. Laravel, WordPress, Astro static deployments served from a cPanel host, and any other stack running under LiteSpeed on an unpatched server should be considered compromised until the patch is applied and the host audited.

Check your hosting provider’s LiteSpeed version now. If they have not yet deployed 5.3.1.0, open a ticket and request the update. For managed hosting customers, demand written confirmation of patch status — this vulnerability is severe enough to warrant it.

cybersecurity cve litespeed cpanel