LiteSpeed cPanel Plugin CVE-2026-48172 Exploited for Root Scripts

Stephanie Adlam
Stephanie Adlam
5 Min Read
LiteSpeed cPanel CVE-2026-48172 root script risk

LiteSpeed has patched CVE-2026-48172, an actively exploited privilege-escalation flaw in its user-end cPanel plugin. Hosting providers and server owners using the affected plugin should update to the bundled WHM Plugin v5.3.1.0 / cPanel user-end plugin v2.4.7, then check cPanel logs for redisAble abuse.

The bug matters because it changes the trust boundary of shared hosting. LiteSpeed says any cPanel user, including a compromised account, could abuse lsws.redisAble to execute arbitrary scripts as root. That is a different risk class from a normal website compromise: one weak hosting account can become a server-level incident.

The practical concern is downstream abuse. A root-level path on a shared server can lead to hidden web malware, phishing pages, SEO spam, or backdoors that keep returning after a single infected site is cleaned. Similar hosting-control issues have already appeared in cPanel backdoor activity and broader cPanel/WHM patch cycles.

Who Is Affected?

The exposed group is narrow but important: administrators of cPanel servers where the LiteSpeed user-end cPanel plugin is installed. LiteSpeed says the WHM plugin itself was not affected, but the vulnerable user-end cPanel plugin is bundled with WHM plugin releases.

Shared hosting providers should treat this as urgent because attackers do not need an administrator account if they already control or register a cPanel user account on an exposed server. Site owners on managed hosting should ask their provider whether the affected plugin was present and whether log checks were completed.

Versions and Artifacts to Check

Item Status What to check
cPanel user-end plugin v2.3 through v2.4.4 Vulnerable LiteSpeed says these versions are at risk and exploitation is active.
cPanel user-end plugin v2.4.5 Initial patch The vendor says the original vulnerability was patched here.
WHM Plugin v5.3.1.0 with cPanel plugin v2.4.7 Recommended target LiteSpeed recommends this version or higher after additional hardening.
cpanel_jsonapi_func=redisAble Exposure artifact Search cPanel logs for this string and review source IPs if it appears.
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall Temporary mitigation Use only if the plugin cannot be upgraded immediately.

What to Do Now

First, update the LiteSpeed WHM plugin to v5.3.1.0 or later so the bundled user-end cPanel plugin reaches v2.4.7. LiteSpeed also says cPanel pushed an uninstall command for the user-end plugin on May 19, 2026, which helps reduce exposure on servers that did not update at once.

Next, run the vendor log check exactly as documented:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

No output is the clean result for this specific redisAble indicator. It does not prove the whole server is clean, but it means this public LiteSpeed/cPanel log artifact was not found. Any output should trigger a focused incident review: validate the IP addresses, block unauthorized sources, inspect system logs for actions taken by those IPs, and review hosted sites for new scripts, modified web roots, or persistence that survives a normal website cleanup.

If a hosting account was already suspicious, do not stop at rotating that account password. A root execution path means the server owner should check from the system side, not only from the website control panel.

FAQ

Is CVE-2026-48172 being exploited?

Yes. LiteSpeed says the vulnerability is being actively exploited, so exposed servers should not wait for a routine maintenance window.

Is the LiteSpeed WHM plugin vulnerable?

LiteSpeed says the WHM plugin itself was not affected. The risk is in the user-end cPanel plugin that is bundled with WHM plugin releases.

Which version should I install?

LiteSpeed recommends WHM Plugin v5.3.1.0, bundled with cPanel user-end plugin v2.4.7, or a later release.

What should site owners ask their host?

Ask whether the LiteSpeed user-end cPanel plugin was installed, whether v2.4.7 or later is deployed, and whether logs were checked for cpanel_jsonapi_func=redisAble.

References

  1. LiteSpeed, “Security Update for LiteSpeed cPanel Plugin,” May 21, 2026. Advisory
  2. LiteSpeed Technologies, “cPanel/WHM Plugin Release Log,” updated May 21, 2026. Release log
29 Moonbirds Stolen via Link Click from a Proof Collective Member
New Microsoft SmartScreen Bypass Technique Causes Concerns
Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components
Win.MxResIcn.Heur.Gen
Hacker groups split up: some of them support Russia, others Ukraine
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Packagist postinstall malware supply chain attack featured image Packagist Postinstall Malware: What Developers Should Check
Next Article Trojan:Win32/Cerdigent.A!dha false positive Defender detection guide Trojan:Win32/Cerdigent.A!dha: DigiCert False Positive Fix
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?