Exploitation of Critical Vulnerability in LiteSpeed User-End cPanel Plugin
An actively exploited security vulnerability with a maximum severity rating has been discovered in the LiteSpeed User-End cPanel Plugin. This flaw, identified as CVE-2026-48172 with a CVSS score of 10.0, involves incorrect privilege assignment that could allow an attacker to execute arbitrary scripts with elevated permissions.
LiteSpeed has warned that any cPanel user, including attackers or compromised accounts, can exploit the vulnerability to run scripts as root using the lsws.redisAble function.
The vulnerability affects all versions of the plugin between 2.3 and 2.4.4, with the exception of LiteSpeed’s WHM plugin. The issue has been resolved in version 2.4.5, thanks to security researcher David Strydom who discovered and reported the flaw.
LiteSpeed has confirmed that the vulnerability is currently being actively exploited but has not disclosed specific details. They have shared an indicator of compromise for users to check for potential exploitation:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
If the above command returns no results, the server is not affected. However, if there is output, users are advised to review the IP addresses listed and block any that are not legitimate.
Following a security audit of their cPanel and WHM plugins post-vulnerability discovery, LiteSpeed has patched additional attack vectors in both plugins. They have released cPanel plugin version 2.4.7 as part of WHM plugin version 5.3.1.0 to address these issues.
Users are urged to upgrade to LiteSpeed WHM Plugin version 5.3.1.0 or higher, bundled with cPanel plugin v2.4.7, to mitigate the vulnerability. If immediate patching is not feasible, it is recommended to uninstall the user-end plugin using the following command:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
This discovery follows recent exploitation of another critical cPanel vulnerability (CVE-2026-41940, CVSS score: 9.8) by unknown threat actors to distribute Mirai botnet variants and a ransomware strain known as Sorry.
