LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation

Suspected
Discovered May 27, 2026

CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.

0
Affected Packages
0
Observables
5
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-26 with a 2026-05-29 remediation due date CISA KEV opens in a new tab. The vulnerability is a critical privilege escalation flaw in the LiteSpeed User-End cPanel Plugin: any cPanel user account can abuse lsws.redisAble to execute arbitrary scripts as root LiteSpeed opens in a new tab NVD opens in a new tab.

NVD now records the exact vendor advisory and release-log references, lists vulnerable LiteSpeed cPanel Plugin versions up to but excluding 2.4.7, and includes the vendor-recommended log sweep for cpanel_jsonapi_func=redisAble under /var/cpanel/logs and /usr/local/cpanel/logs NVD opens in a new tab. This post details the technical mechanics, impact boundaries, and an automated Python triage script to parse server logs for active exploitation traces.

Key Facts

Cve: CVE-2026-48172

Vendor: LiteSpeed Technologies

Product: User-End cPanel Plugin

Unaffected Products:

  • LiteSpeed WHM Plugin

Kev Added: 2026-05-26

Vulnerability: Incorrect privilege assignment in lsws.redisAble JSON API function

Cwe:

  • CWE-266
  • CWE-269

Affected Versions:

  • 2.3 <= LiteSpeed cPanel Plugin < 2.4.7
  • LiteSpeed WHM Plugin < 5.3.1.0 may bundle an affected cPanel plugin

Fixed Versions:

  • LiteSpeed WHM Plugin >= 5.3.1.0 (includes cPanel Plugin 2.4.7)

Nvd Cvss V31: 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Status: cisa_kev_exploited

Zero Day Status: confirmed_zero_day_exploitation

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-48172 as actively exploited, requiring federal agency remediation CISA KEV opens in a new tab.
  • confirmed: LiteSpeed's vendor advisory maps the vulnerability to lsws.redisAble in the User-End cPanel plugin, says the WHM plugin itself is not affected, and instructs operators to update to WHM Plugin 5.3.1.0 / cPanel Plugin 2.4.7 LiteSpeed opens in a new tab.
  • confirmed: NVD lists affected CPEs up to but excluding cPanel Plugin 2.4.7 and WHM Plugin 5.3.1.0, references the LiteSpeed advisory and release log, and includes the vendor log-check command NVD opens in a new tab.
  • confirmed: The Hacker News independently reported LiteSpeed's active-exploitation statement and credited David Strydom for discovery/reporting The Hacker News opens in a new tab.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseSystem audit logs or cPanel access logs contain references to cpanel_jsonapi_func=redisAble, accompanied by unexpected system privilege escalations or root-level binary modifications.Logs showing redisAble execution queries and corresponding root process generation in /var/log/secure or /var/cpanel/logs.Isolate the host, terminate active SSH sessions, and run rootkit audits.Uninstall the plugin or apply the WHM patch, and rotate all server-level passwords and keys.
Presumed exposedThe cPanel server runs LiteSpeed User-End cPanel Plugin versions between 2.3 and 2.4.4, and local user access is active.Software version detection (version file inside /usr/local/lsws/) mapping to the affected range.Restrict cPanel user permissions or temporarily uninstall the user-end plugin.Upgrade the WHM package to 5.3.1.0 or higher to deploy the patched cPanel plugin 2.4.7.
Potentially exposedA web server utilizes LiteSpeed web server technology, but the installation status of the cPanel user plugin is unverified.Service inventory identifying LiteSpeed Web Server without configuration auditing.Run the Python plugin audit script.Confirm if the system is presumed exposed, confirmed compromised, or not exposed.
Not exposedThe User-End cPanel plugin is completely uninstalled, or is verified running version >= 2.4.7.Negative plugin inventory matching, or verified patched software version.None for this CVE.Version audit report is compiled and archived.

Timeline

What Happened

The User-End cPanel plugin helps individual cPanel users manage LiteSpeed cache settings and cache utilities like Redis. However, the JSON API handler lsws.redisAble did not correctly validate user boundaries before executing system-level actions. A low-privileged cPanel user could pass crafted scripts to this API, which was executed by the high-privileged background manager, instantly escalating their permissions to root.

Technical Analysis

The primary flaw lies inside the privilege boundaries of the Captive cPanel script hooks. Because the background API helper executes with root context to manage system services, the lack of input sanitization in the redisAble routine allowed command injection. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • lsws
  • LiteSpeed Web Server
  • cPanel Plugin

Highest Value Assets:

  • Shared hosting servers running cPanel with LiteSpeed enabled
  • Root administrative accounts and server credentials

Credentials And Data At Risk:

  • Root user hashes and system shadow files
  • cPanel user databases and databases of all hosted clients
  • SSL certificates and server private keys

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Containment

If immediate patching is not possible, uninstall the User-End cPanel Plugin immediately to close the pre-authenticated API surface:

  • Command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
  • This completely removes the vulnerable user-end integration while leaving the core WHM manager intact.

Eradication & Recovery

  1. Apply Software Upgrades: Upgrade the primary WHM integration to version 5.3.1.0 or higher, which deploys the patched user cPanel plugin version 2.4.7 automatically.
  2. Audit Administrative Accounts: Review all local system users and verify that no unauthorized SSH keys or root users have been added to /etc/passwd or /root/.ssh/authorized_keys.
  3. Rotate Secrets: If the redisAble signature is found in server logs, treat the machine as fully compromised. Rotate all host private keys, local user passwords, and database access credentials immediately.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 27, 2026DisclosureDisclosure recorded for LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation.blog.litespeedtech.com
May 27, 2026First seenFirst seen recorded for LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation.blog.litespeedtech.com
May 27, 2026DiscoveryDiscovery recorded for LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation.blog.litespeedtech.com
May 27, 2026LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege EscalationUnknownblog.litespeedtech.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabblog.litespeedtech.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-litespeed-cpanel-plugin-cve-2026-48172-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

5 of 5 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
blog.litespeedtech.comSecurity Researcher95%1CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
thehackernews.comSecurity Researcher95%1CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
cisa.govSecurity Researcher95%1CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
litespeedtech.comSecurity Researcher95%1CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
nvd.nist.govSecurity Researcher95%1CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.