RSS

LiteSpeed CPanel Plugin with Root Privilege Escalation Under Active Exploitation

s4mw1se1 pts0 comments

LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation | Halting Problems<br>♥ Help support the site<br>btc bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 Copy

eth 0x71faaDcAF2538e7346885F772FBAcb88740059A8 Copy

xmr 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP Copy

On this page 0% read Executive Summary

CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-26/27 CISA KEV. The vulnerability is a critical privilege escalation flaw (CVSS 10.0) in the LiteSpeed User-End cPanel Plugin (versions 2.3 through 2.4.4) SecurityWeek.

Active exploitation has been observed in the wild. Attackers with low-privileged cPanel account access can leverage the plugin’s JSON API (specifically the lsws.redisAble function) to execute arbitrary scripts with root privileges , resulting in full system compromise. This post details the technical mechanics, impact boundaries, and an automated Python triage script to parse server logs for active exploitation traces.

Key Facts

cve: "CVE-2026-48172"<br>vendor: "LiteSpeed Technologies"<br>product: "User-End cPanel Plugin"<br>unaffected_products: ["LiteSpeed WHM Plugin"]<br>kev_added: "2026-05-26"<br>vulnerability: "Incorrect privilege assignment in lsws.redisAble JSON API function"<br>cwe: ["CWE-266", "CWE-269"]<br>affected_versions: ["2.3 ]<br>fixed_versions: ["LiteSpeed WHM Plugin >= 5.3.1.0 (includes cPanel Plugin 2.4.7)"]<br>nvd_cvss_v31: "10.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"<br>exploitation_status: "cisa_kev_exploited"<br>zero_day_status: "confirmed_zero_day_exploitation"<br>Source Confidence & Evidence Mapping

confirmed: CISA KEV lists CVE-2026-48172 as actively exploited, requiring federal agency remediation CISA KEV.

confirmed: LiteSpeed security release advisory maps the vulnerability to the User-End cPanel plugin and specifies version 2.4.7 as the fixed release bundled inside the updated WHM plugin LiteSpeed Technologies.

confirmed: SentinelOne Threat Intelligence reports active host-level exploits abusing the JSON API redisAble endpoint to launch tunneling tools and dump shadow files SentinelOne.

Impact Determination

ClassificationCriteriaRequired evidenceRemediation triggerClosure conditionConfirmed compromiseSystem audit logs or cPanel access logs contain references to cpanel_jsonapi_func=redisAble, accompanied by unexpected system privilege escalations or root-level binary modifications.Logs showing redisAble execution queries and corresponding root process generation in /var/log/secure or /var/cpanel/logs.Isolate the host, terminate active SSH sessions, and run rootkit audits.Uninstall the plugin or apply the WHM patch, and rotate all server-level passwords and keys.Presumed exposedThe cPanel server runs LiteSpeed User-End cPanel Plugin versions between 2.3 and 2.4.4, and local user access is active.Software version detection (version file inside /usr/local/lsws/) mapping to the affected range.Restrict cPanel user permissions or temporarily uninstall the user-end plugin.Upgrade the WHM package to 5.3.1.0 or higher to deploy the patched cPanel plugin 2.4.7.Potentially exposedA web server utilizes LiteSpeed web server technology, but the installation status of the cPanel user plugin is unverified.Service inventory identifying LiteSpeed Web Server without configuration auditing.Run the Python plugin audit script.Confirm if the system is presumed exposed, confirmed compromised, or not exposed.Not exposedThe User-End cPanel plugin is completely uninstalled, or is verified running version >= 2.4.7.Negative plugin inventory matching, or verified patched software version.None for this CVE.Version audit report is compiled and archived.<br>Timeline

2026-05-18: First anomalous root privilege escalation reports linked to cPanel endpoints noted by hosting provider sysadmins SecurityWeek.

2026-05-24: LiteSpeed silently releases WHM Plugin 5.3.1.0 patching the user-end cPanel daemon LiteSpeed Technologies.

2026-05-26: CISA adds CVE-2026-48172 to the KEV catalog due to rapid exploitation spikes in shared-hosting environments CISA KEV.

What Happened

The User-End cPanel plugin helps individual cPanel users manage LiteSpeed cache settings and cache utilities like Redis. However, the JSON API handler lsws.redisAble did not correctly validate user boundaries before executing system-level actions. A low-privileged cPanel user could pass crafted scripts to this API, which was executed by the high-privileged background manager, instantly escalating their permissions to root .

Technical Analysis

The primary flaw lies inside the privilege boundaries of the Captive cPanel script hooks. Because the background API helper executes with root context to manage system services, the lack of input sanitization in the redisAble routine allowed command injection.

Affected Assets and Blast Radius

asset_selectors:<br>- "lsws"<br>- "LiteSpeed Web Server"<br>- "cPanel Plugin"<br>highest_value_assets:<br>- "Shared hosting servers running cPanel...

cpanel plugin litespeed user root privilege

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.