The critical vulnerability CVE-2026-48172 with a maximum CVSS rating of 10.0 in the LiteSpeed User-End cPanel Plugin is being actively exploited by attackers. An incorrect privilege assignment flaw allows any cPanel user — including a compromised account — to execute arbitrary scripts with root privileges via the lsws.redisAble function. All plugin versions from 2.3 to 2.4.4 are affected. Administrators of servers running LiteSpeed must immediately update to cPanel Plugin version 2.4.7 (as part of WHM Plugin 5.3.1.0) or remove the user-end plugin if an update cannot be applied promptly.

Technical analysis of the vulnerability

According to the official LiteSpeed advisory, the root cause of the problem lies in the privilege assignment mechanism (CWE: Incorrect Privilege Assignment). The lsws.redisAble function, which is accessible via the cPanel API, does not properly verify the permissions of the calling user. As a result, any authenticated cPanel user can pass an arbitrary script to this function, which will then be executed in the context of the superuser (root).

Key vulnerability parameters:

• Identifier: CVE-2026-48172
• CVSS score: 10.0 (maximum criticality)
• Affected product: LiteSpeed User-End cPanel Plugin versions 2.3 — 2.4.4
• Not affected: LiteSpeed WHM Plugin (with respect to the original vulnerability)
• Exploitation status: confirmed active exploitation in the wild
• Fixed in: cPanel Plugin 2.4.5 (initial patch), cPanel Plugin 2.4.7 as part of WHM Plugin 5.3.1.0 (extended fix)

The CVSS score of 10.0 reflects a combination of factors: a low entry barrier for an attacker (any cPanel account is sufficient), full system compromise (code execution as root), no need for user interaction, and a network attack vector. Discovery of the vulnerability is credited to security researcher David Strydom.

Why this vulnerability is especially dangerous

The combination of several factors makes CVE-2026-48172 one of the most serious threats to hosting infrastructure:

Scale of potential impact. LiteSpeed Web Server is one of the most widespread web servers in the virtual hosting segment, and cPanel remains the dominant control panel on shared hosting servers. A single cPanel server can host hundreds of customer accounts. Compromise of root access on such a server means full control over all hosted websites, databases, mailboxes, and SSL certificates.

Low bar to exploitation. The attack does not require privileged access — a regular cPanel account is enough. On shared hosting servers such accounts are created in large numbers, and their compromise through phishing or password leaks is a common occurrence. This means an attacker can use any compromised hosting account as a foothold to fully take over the server.

Confirmed exploitation. LiteSpeed explicitly states that the vulnerability is already being used in attacks, although details of the campaigns and the attacker profile are not disclosed.

Detecting compromise

LiteSpeed has provided an indicator of compromise in the form of a command to search for traces of exploitation in cPanel logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Interpreting the results:

• No output — no traces of exploitation via this vector were found in the logs. Keep in mind this does not guarantee the absence of compromise — logs may have been wiped, and the vendor’s check may not cover all attack scenarios.
• Output present — you must analyze the IP addresses in the results, determine whether they are legitimate, and block suspicious ones. It is also recommended to perform a full server audit for installed backdoors, modified system files, and unauthorized accounts.

Remediation recommendations

Priority: immediate response. Given the confirmed active exploitation and maximum criticality rating, the update must be applied as soon as possible.

1. Update the plugins. Install LiteSpeed WHM Plugin version 5.3.1.0, which includes cPanel Plugin version 2.4.7. This version not only fixes CVE-2026-48172, but also includes patches for additional potential attack vectors that LiteSpeed identified during an internal security audit after discovering the primary vulnerability.
2. If an immediate update is not possible — remove the user-end plugin with the command:

   /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

3. Check the logs for signs of exploitation using the grep command shown above.
4. If signs of compromise are found — block the identified IP addresses, audit system files and accounts, and check cron jobs and autostart entries for signs of persistence (persistence mechanisms).
5. Consider restricting access to the cPanel interface by IP address via a firewall as an additional protection measure.

Notably, after discovering CVE-2026-48172, LiteSpeed conducted an extended security audit of both plugins — cPanel and WHM — and identified additional potential attack vectors. All of them were eliminated in the updated versions. This underscores that upgrading to cPanel Plugin 2.4.7 (and not just to 2.4.5, which contains the initial patch) is the preferred option.

Administrators of servers running LiteSpeed and cPanel should treat upgrading to WHM Plugin 5.3.1.0 with cPanel Plugin 2.4.7 as an urgent task. Every hour of delay when a root-level vulnerability is known to be actively exploited is an open window for full compromise of the server and all resources hosted on it.