LiteSpeed cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.

Rabi LakshmananMay 23, 2026Vulnerabilities / Web Security

A maximum severity security vulnerability affecting the LiteSpeed user-end cPanel plugin has been exploited in the wild.

This flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), is related to an instance of incorrect privilege assignment, which could be exploited by an attacker to execute arbitrary script with elevated privileges.

“cPanel users (including attackers and compromised accounts) could exploit the lsws.redisAble feature to run arbitrary scripts as root,” LiteSpeed said.

This vulnerability affects all versions of the plugin from 2.3 to 2.4.4. LiteSpeed’s WHM plugin is not affected. This issue was resolved in version 2.4.5. Security researcher David Strydom is credited with discovering and reporting this flaw.

LiteSpeed noted that “the vulnerability is being actively exploited,” but declined to share further details. The following indicators of compromise have been shared:

grep -rE “cpanel_jsonapi_func=redisAble” /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If running the aforementioned “grep” command produces no output, your server is not affected. However, if there is output, it is a good idea to examine the IP addresses in the list to determine whether they are legitimate and block them if they are not.

LiteSpeed announced that after conducting a security review of its cPanel and WHM plugins in response to this vulnerability, it has patched both plugins for additional potential attack vectors and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.

To fix this vulnerability, we recommend upgrading to LiteSpeed WHM plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or later. If an immediate patch cannot be applied, we recommend running the following command to remove the user-end plugin.

/usr/local/lsws/admin/misc/lscmctl cpanelplugin –uninstall

This development comes weeks after a critical vulnerability in cPanel (CVE-2026-41940, CVSS score: 9.8) was confirmed to be actively exploited by unknown attackers to deploy a variant of the Mirai botnet and a ransomware strain called Sorry.

Source link

What's Hot

LiteSpeed cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.

Drupal core SQL injection bug actively exploited and added to CISA KEV

Utilizing AI to revive the voice of a deceased pilot

LiteSpeed cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.

Drupal core SQL injection bug actively exploited and added to CISA KEV

First VPN dismantled in global takedown over use by 25 ransomware groups

Ghostwriter targets Ukrainian government agencies with Prometheus phishing malware

LiteSpeed cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.

Drupal core SQL injection bug actively exploited and added to CISA KEV

Utilizing AI to revive the voice of a deceased pilot

SpaceX launches Starship V3 for the first time, but loses booster on return

Castilla-La Mancha Ignites Innovation: fiveclmsummit Redefines Tech Future

Local Power, Health Innovation: Alcolea de Calatrava Boosts FiveCLM PoC with Community Engagement

The Future of Digital Twins in Healthcare: From Virtual Replicas to Personalized Medical Models

Human Digital Twins: The Next Tech Frontier Set to Transform Healthcare and Beyond

What's Hot

LiteSpeed ​​cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.

Related Posts

LiteSpeed cPanel plugin CVE-2026-48172 can be exploited to execute scripts as root.