LiteSpeed cPanel CVE-2026-48172 exploitation

Summary

CVE-2026-48172 is a maximum-severity privilege-escalation vulnerability in LiteSpeed's user-end cPanel plugin. LiteSpeed says the flaw is being actively exploited and allows any cPanel user, including a malicious tenant or a compromised hosting account, to abuse the lsws.redisAble function to execute arbitrary scripts as root.

The durable threat-intelligence value is shared-hosting escalation risk: a single compromised cPanel account on an affected server can become full host compromise, with downstream exposure of colocated customer sites, credentials, mailboxes, databases, and deployment secrets.

Why this matters

LiteSpeed Web Server and cPanel/WHM are common in shared-hosting environments where many unrelated customer sites may share one administrative control plane.
The exploit boundary is low: the vulnerable function can be reached by any cPanel user, so a normal tenant account, phished panel login, reused password, or web-shell pivot can become root-level host control.
Root execution on a hosting node can expose databases, mail spools, TLS keys, site backups, deployment credentials, and other tenants' application secrets.
The vendor confirmed active exploitation, and cPanel reportedly pushed automated removal of the user-end plugin on 2026-05-19 to limit additional exposure.

Operational characteristics

Affected component: LiteSpeed user-end cPanel plugin versions 2.3 through 2.4.4; LiteSpeed says the WHM plugin itself was not directly affected by this original issue.
Exploit primitive: calls to lsws.redisAble / cpanel_jsonapi_func=redisAble can execute arbitrary scripts with root privileges.
Exposure model: attackers need a cPanel user context, which can be their own tenant account on shared hosting or an account obtained through credential theft, malware, phishing, web-app compromise, or reseller abuse.
Patch and hardening path: LiteSpeed fixed the original issue in cPanel plugin 2.4.5, then released cPanel plugin 2.4.7 bundled with WHM plugin 5.3.1.0 after a broader security review.
Exploitation status: LiteSpeed's 2026-05-21 advisory states the vulnerability is being actively exploited; no public source reviewed here names a specific actor or malware payload for this exploitation wave.

Defender heuristics

Upgrade to LiteSpeed WHM Plugin 5.3.1.0 or later, which bundles cPanel plugin 2.4.7 or later; if patching is blocked, remove the user-end plugin as a temporary containment measure.
Search cPanel logs for cpanel_jsonapi_func=redisAble and treat any unrecognized source IPs or user sessions as a probable compromise lead.
For confirmed hits, preserve /var/cpanel/logs, /usr/local/cpanel/logs, shell history, process listings, service changes, cron/systemd persistence, web-root mtimes, SSH key changes, package-manager logs, and authentication logs before cleanup.
Review all cPanel users on the host, not just the account tied to the initial log hit; root execution creates cross-tenant risk.
Rotate credentials and keys accessible from hosted sites and cPanel/WHM after a confirmed exploit window, including database passwords, mail credentials, deployment tokens, API keys, and SSH keys.
Hunt for post-exploitation artifacts such as new privileged users, modified authorized_keys, unexpected PHP/Perl/Python shell scripts, cron entries, altered LiteSpeed/cPanel plugin files, suspicious Redis-related commands, and outbound connections shortly after redisAble requests.

Sources

LiteSpeed advisory: https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
The Hacker News: https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
cPanel support notice: https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-48172
GitHub Security Advisory: https://github.com/advisories/GHSA-fxrh-cwjh-m33v