CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day (CVE-2026-48172)
What Is CVE-2026-48172?
A critical zero-day privilege escalation vulnerability — tracked as CVE-2026-48172 with a CVSS score of 10.0 — has been discovered in the LiteSpeed User-End cPanel Plugin. The flaw allows any authenticated cPanel user to execute arbitrary scripts with full root privileges, effectively handing attackers complete control over the server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, mandating that Federal Civilian Executive Branch agencies patch or remove the affected plugin by May 29, 2026.
How the Vulnerability Works
The root cause is a logic flaw inside the plugin’s lsws.redisAble JSON-API endpoint, which is exposed by default to every logged-in cPanel user. A single malformed API call with specific parameter values is enough for an attacker to escalate privileges to root — no race condition, no authentication bypass needed.
This makes exploitation dangerously simple, particularly in shared-hosting environments where every tenant already holds a valid cPanel session. A compromised low-privilege account can weaponize the flaw to take over the entire server and all tenants hosted on it.
Affected Versions
- Vulnerable: LiteSpeed cPanel User-End Plugin versions 2.3 through 2.4.4
- Not affected: LiteSpeed WHM plugin
- Patched: Version 2.4.5 and above (full patch in WHM Plugin v5.3.1.0 bundled with cPanel Plugin v2.4.7)
Enterprise Exposure Is Broader Than Expected
While this vulnerability primarily targets shared hosting environments, enterprise exposure is significant and often invisible. Many enterprise organizations operate brand sites, campaign domains, and legacy marketing properties on shared cPanel hosting — infrastructure that may have been provisioned years ago and is no longer actively monitored by central IT.
LiteSpeed’s widespread adoption as the default web server engine on cPanel platforms means millions of sites may be affected. According to security researchers, one compromised server in a shared hosting environment can expose hundreds of tenants through a plugin they never chose to install.
Part of a Larger Attack Pattern
This vulnerability doesn’t exist in isolation. CVE-2026-41940 — another critical cPanel flaw with a CVSS score of 9.8 — compromised approximately 44,000 servers just weeks earlier and was used to deploy Mirai botnet variants and Sorry ransomware. CVE-2026-48172 is the second critical zero-day in the cPanel ecosystem in less than a month, signaling a sustained targeting campaign against hosting infrastructure.
Immediate Action Required
Step 1 — Check if you’re vulnerable
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullStep 2 — Patch immediately
Upgrade to LiteSpeed WHM Plugin v5.3.1.0, bundled with cPanel Plugin v2.4.7 or higher.
Step 3 — If you cannot patch immediately
Remove the user-end plugin entirely by running:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallStep 4 — Audit your logs
Investigate server logs for evidence of privilege escalation, unauthorized script execution, or suspicious API activity. Block any unauthorized IP addresses identified during the review.
Conclusion
CVE-2026-48172 is a maximum-severity threat actively exploited in the wild with a trivial attack path. Whether you manage your own hosting infrastructure or rely on a managed provider, now is the time to audit every web property for this plugin — not just your core datacenter assets. The CISA deadline is May 29, 2026. Don’t wait.
