Skip to content
hacker_posts

LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root

A privilege-escalation flaw in the LiteSpeed User-End cPanel plugin lets any cPanel account execute arbitrary scripts as root. Mass scanning began within 72 hours of disclosure.

Published 3 min read
cvelitespeedcpanelrceadvisory

A CVSS 10.0 privilege-escalation bug in the LiteSpeed User-End cPanel plugin is being mass-scanned across shared-hosting environments, three days after the vendor disclosed it. CVE-2026-48172 lets any cPanel user — including a freshly-purchased account on a multi-tenant host — execute arbitrary scripts as root.

LiteSpeed published the advisory on May 21. Active exploitation was confirmed by May 24.

What's vulnerable

  • All versions of the LiteSpeed User-End cPanel plugin from 2.3 through 2.4.4.
  • The WHM plugin is not affected.
  • Fixed in 2.4.7+, bundled with WHM plugin 5.3.1.0.

If you operate a cPanel-based shared host with LiteSpeed Web Server, this affects you. If you are a tenant on such a host, your operator's patch state is now part of your attack surface.

The flaw

The plugin exposes a function called lsws.redisAble, intended to let users toggle Redis caching on or off. The function fails to enforce privilege boundaries: any authenticated cPanel user can invoke it via the JSON API and have the resulting script run as root rather than as their own user.

Concretely, the attack is a POST to cpanel.lsws.redisAble with a payload that the plugin executes in a root shell. There's no auth bypass needed — just any valid cPanel login on the box. On a shared host, that's $3/month away.

LiteSpeed's note is terse: "Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root."

Exploitation

The bug is being scanned for with automated tooling — not a targeted campaign by a named group, but a broad opportunistic sweep of internet-exposed cPanel/LiteSpeed installations. Post-exploit behavior observed so far includes:

  • Web-shell drops in /usr/local/cpanel/base/ and tenant public_html directories.
  • Persistence via cron entries owned by root.
  • Credential harvesting from /etc/shadow, /var/cpanel/users/*, and /etc/proftpd/.
  • Pivot attempts to other tenants on the same box.

Detection

LiteSpeed published a one-liner to surface attempts in cPanel logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Any matches outside of a planned Redis-toggle action are suspect. Pull at least the last 30 days. If you find evidence of invocation by a non-admin user, treat the host as compromised — rebuild from a known-good image, do not just remove the web shell you can see.

Action checklist

  1. Upgrade the LiteSpeed User-End cPanel plugin to 2.4.7 or later — today.
  2. If you can't upgrade immediately, disable the plugin's JSON API endpoint at the WHM level.
  3. Run the grep above across all hosts in your fleet.
  4. Audit cron, sudo, and /root/.ssh/authorized_keys on any host that was internet-reachable before patching.
  5. If you operate as a tenant: ask your host whether they've patched, in writing. This bug is bad enough to make that a reasonable question.

Related stories