LiteSpeed Technologies has shipped an emergency fix for its User-End cPanel Plugin after a maximum-severity flaw came under active exploitation. CVE-2026-48172 carries a CVSS score of 10.0, and the reason is simple: any logged-in cPanel user can use it to run arbitrary scripts as root.
What happened
In a security advisory published on May 21, 2026, LiteSpeed disclosed an incorrect privilege assignment bug in the plugin that shared-hosting customers use to manage LiteSpeed cache settings. The plugin’s lsws.redisAble function — reachable through the cPanel JSON-API and exposed to every authenticated cPanel account by default — executes scripts with root privileges without properly checking who is calling it.
The result is a clean user-to-root escape. As LiteSpeed put it, “any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root.” No exotic preconditions, no chained bugs — one API call from an ordinary hosting account is enough. LiteSpeed confirmed the vulnerability “is being actively exploited” but declined to share attacker details. Security researcher David Strydom is credited with the discovery.
Affected versions
The flaw affects all releases of the LiteSpeed User-End cPanel Plugin from 2.3 through 2.4.4. The separate WHM-side plugin is not affected. LiteSpeed addressed the core issue in version 2.4.5, then ran a broader review of both plugins, patched additional attack vectors it found, and shipped cPanel plugin version 2.4.7 as part of WHM plugin 5.3.1.0.
Impact assessment
cPanel is the dominant control panel for shared web hosting, and LiteSpeed is one of the most widely deployed web servers running behind it — so the affected population is large and concentrated on hosting fleets. On a shared host, the account boundary is the entire security model: every customer’s site sits behind a single root. A user-to-root escape collapses that boundary completely.
In practice that means a single weak customer password, one vulnerable WordPress install, or one malicious tenant is enough to take the whole machine — and with it every other site’s files, databases, and credentials on that server. This is exactly the bug class that gets weaponized quickly across hosting providers, which is consistent with LiteSpeed’s report of exploitation already in progress. It also lands just weeks after cPanel CVE-2026-41940 (CVSS 9.8) was exploited to deploy Mirai botnet variants and the “Sorry” ransomware strain — hosting infrastructure is under sustained pressure right now.
What to do right now
Patch. Upgrade to LiteSpeed WHM Plugin 5.3.1.0, which bundles cPanel plugin version 2.4.7 or higher. The 2.4.7 build is preferable to the minimal 2.4.5 fix because it also closes the additional attack vectors found during LiteSpeed’s review.
If you cannot patch immediately, remove the user-end plugin:
| |
Check for exploitation. LiteSpeed’s published indicator of compromise is a log grep for the vulnerable API call:
| |
No output means the server was not targeted. Any output means you should examine the source IP addresses, determine whether they are legitimate, and block the ones that are not.
Assume compromise if you find hits. Root-level code execution means the entire server should be treated as breached. Rotate all credentials, audit for persistence (cron jobs, authorized SSH keys, modified binaries, web shells), and seriously consider rebuilding the host from known-good media rather than cleaning in place.