Blog

CVE-2026-48172: Critical LiteSpeed cPanel Plugin Vulnerability Gives Attackers Root Access to the Entire Server.

cpanel_warning
CVE / Linux / Security

CVE-2026-48172: Critical LiteSpeed cPanel Plugin Vulnerability Gives Attackers Root Access to the Entire Server.

An attacker gains access to any cPanel account on the server — through a compromised site, a leaked password, brute force — and through a single LiteSpeed plugin function escalates to root on the entire machine. Every account, every database, every site — compromised.

That’s CVE-2026-48172. On May 19, 2026, researcher David Strydom reported a vulnerability in the LiteSpeed user-end cPanel plugin to LiteSpeed Technologies. CVSS 4.0 score: 10.0 CRITICAL — the maximum possible. Attacks are already underway.

HOW THE VULNERABILITY WORKS

The vulnerability lives in the lsws.redisAble function — it handles enabling and disabling Redis for a specific cPanel account. A routine administrative operation. But the function contains a privilege management flaw (CWE-266): the plugin fails to separate the execution context between the user account and the system, so the script ends up running as root.

What makes this particularly dangerous isn’t the mechanism — it’s the bar to exploit it. The attack is remote, needs no privileges, and requires no complex setup. Any cPanel account on a vulnerable server is a way in. You don’t need to own the server, you don’t need the root password, you don’t even need your own site there — compromising any existing account is enough.

The attack chain:

  • The attacker gets access to any cPanel account — via phishing, a leaked password, brute force, or a vulnerability in one of the hosted sites.
  • Sends a specially crafted request to the lsws.redisAble function through the cPanel JSON API.
  • The plugin executes an arbitrary script as root.
  • Full control over the server.

Affected versions: LiteSpeed user-end cPanel plugin 2.3 through 2.4.4 inclusive. The LiteSpeed WHM plugin is not directly vulnerable, but the patched version ships through the WHM plugin — that’s what needs updating.

TIMELINE

Worth noting before the dates: when LiteSpeed received the report, the vulnerability was already being actively exploited. There was no time to sit on it.

  • May 19, 2026 — report received from David Strydom. That same day, cPanel forcibly removed the plugin from all servers via the nightly update. LiteSpeed released cPanel plugin 2.4.6 and WHM plugin 5.3.0.0.
  • May 20, 2026 — CVE identifier requested. NVD published the CVE-2026-48172 entry the same day.
  • May 21, 2026 — extended security review completed with the cPanel/WebPros team. Released cPanel plugin 2.4.7 and WHM plugin 5.3.1.0 — closing both the original vulnerability and additional attack vectors found during the audit.

First report to final patch: two days. For a vulnerability under active exploitation, that’s a solid response.

WHY THIS IS DANGEROUS

CVSS 10.0 isn’t just a scary number. That score means the attack works without authentication, remotely, without complex preconditions, and gives the attacker full control over the system.

On a dedicated server with a single owner, the blast radius is at least contained. But most cPanel servers are shared hosting — dozens or hundreds of sites belonging to different people on one machine. Here the vulnerability breaks the entire concept of account isolation. It doesn’t matter how well your site is locked down — if there’s even one weak account on the same server, the attacker gets root on the whole machine. That means everyone’s at risk: other people’s databases, mail, SSL keys, configs, client data.

That’s why attacks started before the patch was even out. Shared hosting is a concentrated target: compromise one weak link, get access to everything else at once.

WHAT TO DO

Before you update anything, check whether someone has already been on your server. LiteSpeed and NVD both point to the same command — it searches cPanel logs for requests to the vulnerable lsws.redisAble function.

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

The -r flag runs a recursive search across all files in the directory, -E enables extended regular expressions, and 2>/dev/null drops permission errors for files you don’t have access to. No output means no obvious signs of exploitation — but update anyway. If you do see output, look at the IP addresses: legitimate calls to redisAble happen if you’ve managed Redis through cPanel yourself. But unfamiliar IPs — especially ones making repeated requests outside business hours — are a signal to pull system logs for the same window and look for commands run as root that shouldn’t be there.

Now the patch. You need LiteSpeed WHM Plugin 5.3.1.0 or newer — it bundles cPanel plugin 2.4.7 with the vulnerability fixed. Update through WHM: go to Plugins, find LiteSpeed Web Server Plugin for WHM, and update from there. Or run it from the command line as root — this is the official method from LiteSpeed’s documentation, and it works for both fresh installs and upgrades:

cd /usr/src
wget http://www.litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh
sh ./lsws_whm_plugin_install.sh
rm lsws_whm_plugin_install.sh

The script pulls the current version and installs it over the existing one. When it finishes, check the version in WHM — you should see 5.3.1.0 or higher.

If you can’t update right now, remove the vulnerable component. This is the temporary workaround LiteSpeed officially recommends:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

This removes only the user-end cPanel plugin — the WHM plugin and LiteSpeed Web Server itself keep running. It closes the attack vector until you can get the proper patch in place.

CONCLUSIONS

CVE-2026-48172 — CVSS 10.0, actively exploited — is not something you put on next week’s list. Check the LiteSpeed cPanel Plugin version on every server you manage, run the grep command against the logs, and update to WHM Plugin 5.3.1.0.

If you run a hosting provider — one unpatched server can expose the data of hundreds of client sites. If you’re a hosting client — ask your provider whether the plugin has been updated and get confirmation in writing. If you’re a sysadmin of a server running cPanel and LiteSpeed — this one’s on you, and it needs to happen now.

Leave your thought here

Your email address will not be published. Required fields are marked *