An active exploitation of an extremely severe vulnerability was found on the LiteSpeed cPanel Plugin for User-End usage. This vulnerability allows attackers to execute arbitrary scripts as root users.
This vulnerability is identified as CVE-2026-48172, which has the highest possible security rating of 10.0 (CVSS).
The discovery of this vulnerability was made by Security Researcher David Strydom, and confirmed by LiteSpeed that there are active exploits happening to this vulnerability currently.
The Vulnerable Function
The LiteSpeed cPanel plugin privilege escalation vulnerability resides in a function called lsws.redisAble.
Any cPanel user including an attacker or a compromised account may exploit the lsws.redisAble function to execute arbitrary scripts as root, and this means an attacker with even the lowest level of cPanel access can gain full system control.
The LiteSpeed cPanel plugin privilege escalation flaw is an instance of incorrect privilege assignment, and the function should not be accessible to unprivileged users.
Affected Versions
The LiteSpeed cPanel plugin privilege escalation vulnerability affects all versions of the plugin between 2.3 and 2.4.4.
LiteSpeed's WHM plugin is not impacted by this specific vulnerability, but the issue has been addressed in cPanel plugin version 2.4.5.
Users should upgrade to LiteSpeed WHM Plugin version 5.3.1.0 which is bundled with cPanel plugin version 2.4.7 or higher, and this provides the complete fix for the LiteSpeed cPanel plugin privilege escalation vulnerability.
Active Exploitation
LiteSpeed confirmed that the LiteSpeed cPanel plugin privilege escalation vulnerability is being actively exploited, but the company refrained from sharing additional details about the attacks.
The company provided an indicator of compromise to help server administrators determine if their systems have been targeted, and the indicator involves searching for the redisAble function in cPanel logs.
Administrators should run the command: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
Interpreting the Indicator of Compromise
The LiteSpeed cPanel plugin privilege escalation indicator of compromise is straightforward.
If the output from the grep command is blank or empty, this indicates that the server is not susceptible to the vulnerability at all or has not been attacked.
If there is any output, users are advised to examine the IP addresses in the list and determine if they are legitimate, and if the IP addresses are not recognized, they should be blocked immediately.
The presence of the cpanel_jsonapi_func=redisAble string in logs indicates that someone attempted to exploit the LiteSpeed cPanel plugin privilege escalation vulnerability.
The Patch
LiteSpeed released cPanel plugin version 2.4.5 to address the LiteSpeed cPanel plugin privilege escalation vulnerability.
Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins, and the company released cPanel plugin version 2.4.7 as part of WHM plugin version 5.3.1.0.
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0 which is bundled with cPanel plugin v2.4.7 or higher to patch the LiteSpeed cPanel plugin privilege escalation vulnerability.
Temporary Mitigation
If immediate patching is not an option for the LiteSpeed cPanel plugin privilege escalation vulnerability, LiteSpeed recommends removing the user-end plugin entirely.
The command to remove the plugin is: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Removing the plugin eliminates the attack surface for the LiteSpeed cPanel plugin privilege escalation vulnerability, but it also removes the functionality that the plugin provides.
Administrators should plan to reinstall the plugin after applying the patch.
Why This Vulnerability Is Critical
The LiteSpeed cPanel plugin privilege escalation vulnerability earned a CVSS score of 10.0 for several reasons.
The attack vector is network-based meaning an attacker can exploit the vulnerability remotely, and the attack complexity is low meaning the exploit is reliable and does not require special conditions.
The LiteSpeed cPanel plugin privilege escalation vulnerability requires no privileges and no user interaction, and the impact on confidentiality, integrity, and availability is high.
Any cPanel user including an attacker who has compromised a low-level account can exploit this vulnerability to gain root access.
The Relationship to Recent cPanel Vulnerabilities
The LiteSpeed cPanel plugin privilege escalation vulnerability comes weeks after a critical cPanel vulnerability (CVE-2026-41940) was identified as actively exploited.
That vulnerability had a CVSS score of 9.8, and unknown threat actors were using it to deploy Mirai botnet variants and a ransomware strain called Sorry.
The LiteSpeed cPanel plugin privilege escalation vulnerability is separate but equally dangerous, and the active exploitation of both flaws suggests that attackers are heavily targeting cPanel servers.
Who Is at Risk
The LiteSpeed cPanel plugin privilege escalation vulnerability affects any server running the LiteSpeed User-End cPanel Plugin in versions 2.3 through 2.4.4.
Shared hosting providers are at particular risk because they have many cPanel users, and a compromised account on a shared server can be used to exploit the LiteSpeed cPanel plugin privilege escalation vulnerability and take over the entire server.
Managed hosting customers should verify with their provider that the patch has been applied.
How to Protect Your Server
The LiteSpeed cPanel plugin privilege escalation vulnerability is under active attack, here is what you need to do:
1. Upgrade immediately. Upgrade to LiteSpeed WHM Plugin version 5.3.1.0 or cPanel plugin version 2.4.7 or higher, the LiteSpeed cPanel plugin privilege escalation vulnerability is fixed in these versions.
2. If you cannot upgrade, remove the plugin. Run /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall, this removes the attack surface for the LiteSpeed cPanel plugin privilege escalation vulnerability until you can patch.
3. Check your logs for exploitation. Run the grep command to search for cpanel_jsonapi_func=redisAble in your cPanel logs, and block any unauthorized IP addresses that appear.
4. Monitor for suspicious activity. The LiteSpeed cPanel plugin privilege escalation vulnerability gives attackers root access, so look for unexpected root processes, new user accounts, and outbound connections to unknown IP addresses.
5. Rotate all cPanel user passwords. If you have any indication of compromise, rotate passwords for all cPanel users because the attacker could have exploited a low-privileged account.
The Discovery
Security researcher David Strydom discovered the LiteSpeed cPanel plugin privilege escalation vulnerability and reported it to LiteSpeed.
LiteSpeed credited Strydom for discovering and reporting the flaw, and the company worked with him through coordinated disclosure before releasing the patch.
The LiteSpeed cPanel plugin privilege escalation vulnerability was disclosed after the patch was available, but active exploitation was already occurring.
Final Thoughts
The LiteSpeed cPanel plugin privilege escalation vulnerability is another example of how plugin vulnerabilities can lead to full server compromise.
A single function called lsws.redisAble with incorrect privilege assignments allows any cPanel user to execute arbitrary scripts as root, and the LiteSpeed cPanel plugin privilege escalation vulnerability is being actively exploited right now.
If you run a server with the LiteSpeed User-End cPanel Plugin, check your version today, run the grep command to check for exploitation, and upgrade to the patched version immediately.
The LiteSpeed cPanel plugin privilege escalation vulnerability is a perfect storm, it is trivial to exploit, it gives root access, and attackers are already using it, do not wait to patch.
FAQ Section
What is CVE-2026-48172?
CVE-2026-48172 is a LiteSpeed cPanel plugin privilege escalation vulnerability with a CVSS score of 10.0, the flaw allows any cPanel user to exploit the lsws.redisAble function to execute arbitrary scripts as root.
What versions of the LiteSpeed cPanel plugin are affected?
The LiteSpeed cPanel plugin privilege escalation vulnerability affects all versions between 2.3 and 2.4.4, and the fix is included in version 2.4.5 and higher.
Does the LiteSpeed WHM plugin have an effect?
The only thing that can be affected by a privilege escalation vulnerability in the LiteSpeed Cpanel Plugin is the Cpanel User-End Plugin. The WHM Plugin is unaffected.
What can I look for to determine if my server has experienced the exploitation of this vulnerability?
Look for any output produced from running the command grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null; if there is any output in return to you then someone has attempted to exploit the privilege escalation vulnerability of the LiteSpeed Cpanel Plugin.
If I am unable to patch immediately, what should I do?
You would execute the following command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall to remove the vulnerable plugin until you are able to create the patch and then have that plugin reinstalled.
