10.0
Maximum CVSS v4.0 severity score for CVE-2026-48172, reserved for remotely exploitable flaws requiring no special conditions to achieve critical-impact exploitation
14%
Share of all websites globally running on LiteSpeed Web Server per W3Techs 2026, placing this flaw's potential attack surface among the largest in the 2026 CVE landscape
3 days
CISA's federal remediation window for CVE-2026-48172, from KEV listing on May 26 to today's mandatory deadline, one of the shortest patch windows assigned this year
May 19
Date cPanel pulled the vulnerable LiteSpeed plugin from its marketplace, seven days before CISA's public alert, signaling silent exploitation had already been observed

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2026-48172 is a CVSS 10.0 privilege escalation flaw in the LiteSpeed User-End cPanel Plugin that lets any authenticated shared-hosting tenant execute arbitrary scripts as root on the underlying server, CISA added it to its Known Exploited Vulnerabilities catalog on May 26, 2026 and set a mandatory federal remediation deadline of today, May 29. Attackers are already scanning the internet with automated tools targeting vulnerable installations, and at least two post-exploitation payloads, Mirai botnet variants and Sorry ransomware, have been observed on compromised servers.

The vulnerability resides in the LiteSpeed cPanel plugin's lsws.redisAble function, a JSON API endpoint exposed to all cPanel tenant users for managing Redis features. Due to an incorrect privilege assignment flaw (CWE-266), the function executes with the root-level privileges of the LiteSpeed Web Server process. An attacker sends a crafted JSON API request containing the cpanel_jsonapi_func=redisAble parameter with manipulated script content, and the server executes it as root, no further exploitation required. Affected versions span LiteSpeed User-End cPanel Plugin 2.3 through 2.4.4.

The LiteSpeed cPanel plugin privilege escalation is uniquely destructive in shared hosting environments. A single low-privilege customer account, cheaply purchased, easily phished, or freely registered, becomes a root-level foothold on a server that may host hundreds of other customers' websites, databases, email accounts, and credentials. Hosting providers that have not yet patched to WHM Plugin v5.3.1.0 face an open attack path that attackers are scanning for right now. cPanel itself recognized the threat severity first: it removed the plugin from its marketplace on May 19, a full week before CISA's public alert.

How Does the LiteSpeed cPanel Plugin Privilege Escalation Work?

The LiteSpeed cPanel plugin privilege escalation exploits a single design flaw: the plugin's JSON API runs backend operations with root privileges, and user-supplied input reaches those operations without validation.

LiteSpeed Web Server runs as root on cPanel/WHM systems to manage the web server process, bind ports, and control server-wide configurations. The LiteSpeed User-End cPanel Plugin extends this by exposing management functions to individual cPanel tenant users via the cPanel JSON API interface. The lsws.redisAble function, which manages Redis cache toggles per account, was designed to accept user input and pass it to server-side operations. The flaw is that those server-side operations execute in the root context of the LiteSpeed process rather than in the restricted context of the requesting user.

An attacker with any valid cPanel account sends a crafted HTTP request targeting the cPanel JSONAPI with the parameter cpanel_jsonapi_func=redisAble and injects arbitrary script content into the function's input parameters. The plugin processes the request without validating whether the supplied input should be executed and without restricting execution privileges to the requesting user's context. The crafted input runs as root.

The three-step attack chain:

Step 1: Attacker obtains any cPanel account, via credential stuffing from the 16 billion leaked credentials circulating on dark web markets, phishing, or registering as a legitimate customer on any shared hosting provider running the vulnerable plugin.

Step 2: Attacker sends a crafted HTTP request to the cPanel JSONAPI endpoint targeting cpanel_jsonapi_func=redisAble with manipulated input designed to execute an arbitrary shell command.

Step 3: The LiteSpeed process executes the supplied command with root privileges. The attacker now has full root access to the server.

The attack requires no exploit chain, no kernel vulnerability, and no privileged network position. Any cPanel user account is sufficient.

1

Obtain any cPanel account

Attacker registers or purchases a low-privilege shared hosting account on a server running the vulnerable LiteSpeed cPanel plugin v2.3-v2.4.4. No special permissions required.

2

Call redisAble with crafted input

Attacker sends an HTTP request to the cPanel JSONAPI endpoint with cpanel_jsonapi_func=redisAble and injected shell commands in the function's input parameters.

3

Root execution on the server

LiteSpeed's incorrect privilege assignment executes the injected commands as root. Attacker now controls the entire server and all co-hosted tenant accounts.

Attack Surface: How Many Servers Are Exposed?

The LiteSpeed cPanel plugin privilege escalation affects every server that runs LiteSpeed Web Server with the User-End cPanel Plugin at versions 2.3 through 2.4.4, a configuration that is standard on the majority of cPanel/WHM deployments that switched to LiteSpeed from Apache or Nginx.

LiteSpeed Web Server powers 14% of all websites globally as of 2026 per W3Techs, making it the third most widely deployed web server behind only Apache and Nginx. cPanel is the world's most widely deployed web hosting control panel, managing millions of shared hosting servers across commercial web hosts, managed service providers, and self-hosted environments. The intersection, LiteSpeed-powered cPanel servers, represents tens of thousands of live servers across every continent.

The shared hosting amplification factor is the defining risk. A typical shared hosting server hosts between 100 and 500 customer websites on the same physical or virtual machine. One compromised tenant account means an attacker holds root on a server that stores every co-tenant's web files, MySQL databases, email spools, cron jobs, SSH keys, and application credentials. The blast radius of a single exploitation event is not one website: it is the entire server's customer base.

The exploitation profile confirmed by security researchers is automated and opportunistic, not targeted. Attackers are running internet-wide scans for servers exposing the vulnerable cPanel JSONAPI endpoint, not hand-picking victims. Every unpatched server that is reachable from the internet is in active scan scope right now.

cPanel's decision to remove the plugin from its marketplace on May 19, a full week before CISA's public alert, confirms the threat was observed in the wild before any public disclosure. For web hosting operators already managing cPanel attack surface, this represents the second critical unauthenticated or low-privilege-to-root path in the cPanel ecosystem within 30 days.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What Attackers Do With Root Access After Exploiting CVE-2026-48172

Root access on a shared hosting server is not a stepping stone, it is the final destination for multiple distinct threat actor categories, each with a different monetization strategy.

Cryptomining botnet deployment. Automated scanning campaigns targeting CVE-2026-48172 have been observed deploying Mirai botnet variants that recruit compromised servers into distributed computing pools for cryptocurrency mining. Hosting servers are attractive targets for cryptominers: they typically run on high-performance hardware with unlimited bandwidth allocations, making them far more profitable to mine on than compromised end-user workstations.

Ransomware installation. Sorry ransomware has been observed on servers compromised through this vulnerability. A root-level ransomware deployment on a shared hosting server encrypts every co-tenant's website files, databases, and backups simultaneously, multiplying the ransom pressure across hundreds of customers rather than one.

Persistent backdoor installation. Attackers creating long-term footholds drop webshells in web-accessible directories, add unauthorized public keys to /root/.ssh/authorized_keys, and create hidden root-level cron jobs that survive most standard remediation procedures. These backdoors are monetized by selling access to other criminal groups or held for later use in data theft campaigns.

Tenant data exfiltration. With root access, an attacker can read every database credential stored in every customer's configuration files, WordPress wp-config.php, Joomla configuration.php, Magento local.xml, and use those credentials to dump customer databases without the account owner ever knowing. For hosting providers serving e-commerce clients, this path leads directly to payment card data and personally identifiable information covered under GDPR, PCI DSS, and HIPAA.

Pivot to downstream customers. Compromised hosting servers sit at the center of trust relationships with their customers' own users. Attackers with root access can inject malicious JavaScript into every website served by the server, turning a single hosting server breach into a mass drive-by malware delivery operation targeting all visitors to all hosted sites.

The vulnerability enables 'full administrative control over the affected server', attackers can execute arbitrary commands, alter configurations, implant persistent backdoors, and potentially access or manipulate sensitive data belonging to other users on the same server.

CybersecurityNews, CVE-2026-48172 Analysis, May 2026

How to Detect CVE-2026-48172 Exploitation on Your Server

Detection centers on the unique log signature left by exploitation attempts, the cpanel_jsonapi_func=redisAble request pattern, combined with post-compromise artifacts that indicate whether root-level execution occurred.

Primary detection: Log search for exploitation attempts. Run the following command on any server running the LiteSpeed cPanel plugin:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Any output indicates that exploitation was attempted or completed. Examine the source IP addresses and timestamps for each match. Requests from unexpected IPs or in high volumes indicate automated scanning or active exploitation.

Root-level artifact checks after confirmed exploitation. If the log search returns results, escalate to full incident response:

  • Unauthorized root cron jobs: Run crontab -u root -l and compare against your baseline. Cryptomining campaigns typically add persistence via cron.
  • Unauthorized SSH keys: Check /root/.ssh/authorized_keys for keys not placed by your team. An attacker with root access added their key to enable persistent passwordless login.
  • New system accounts: Run lastlog | grep -v "Never" and audit recent login activity. Backdoor campaigns create hidden accounts.
  • Executable files in temp directories: Check find /tmp /var/tmp -type f -executable -newer /var/cpanel/logs 2>/dev/null. Cryptominers and malware droppers stage in world-writable directories.
  • Running mining processes: Run ps aux | grep -E "xmr|miner|cryptonight|monero" to detect active cryptomining processes.

For hosting providers: Extend these checks to all servers managed by WHM, not just those with confirmed log matches. Automated scanners generate requests that may not appear in standard access logs if WAF rules blocked them at the network layer before reaching the cPanel API.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Close This Gap: Remediation Steps for CVE-2026-48172

Patch or uninstall the vulnerable plugin before end of business today. The CISA federal deadline is May 29. Attackers are scanning now.

Update WHM Plugin to v5.3.1.0 or later

Log into WHM, navigate to LiteSpeed Plugin, and update to version 5.3.1.0 or higher. This update bundles LiteSpeed User-End cPanel Plugin v2.4.7, which is the minimum safe version. Version 2.4.5 closes the specific vulnerability; 2.4.7 includes additional security hardening.

Verify the installed plugin version

Run lscmctl plugin --list | grep cpanel at the command line, or check the LiteSpeed Plugin version in WHM > LiteSpeed WebServer > cPanel Plugin. Any version between 2.3 and 2.4.4 is vulnerable and must be updated or removed immediately.

Uninstall immediately if patching is delayed

If a WHM update cannot be completed now, remove the plugin entirely: run /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. This eliminates the attack vector. LiteSpeed Web Server continues to function normally without the cPanel user-end plugin installed.

Audit logs for exploitation evidence

Run grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. If output exists, treat the server as compromised and escalate to full incident response.

Inspect for post-exploitation artifacts

If exploitation is confirmed: check crontab -u root -l for unauthorized cron jobs, review /root/.ssh/authorized_keys for unknown keys, scan /tmp and /var/tmp for recently created executables, and search for webshells in web-accessible directories using find /home -name "*.php" -newer /etc/passwd -exec grep -l eval {}.

Rotate all server and tenant credentials

On any server where exploitation is confirmed or uncertain, notify all co-hosted customers to rotate their database passwords, application API keys, FTP credentials, and any email passwords. Root access allows silent credential extraction from all tenant configuration files.

Add WAF rule to block exploitation pattern during transition

If using ModSecurity, deploy a rule to deny any request containing cpanel_jsonapi_func=redisAble while upgrades are in progress. This stops automated scanners immediately while the patch window is open.

Why the LiteSpeed cPanel Plugin Privilege Escalation Matters for Your Organization

CVE-2026-48172 represents the worst-case attack surface scenario for shared web hosting: a CVSS 10.0 maximum-severity flaw that converts the lowest possible permission level, a standard hosting tenant account, into full root control of a server housing hundreds of customers.

The attack requires no technical sophistication. It requires a valid cPanel account and the ability to send an HTTP request. Low-privilege cPanel accounts are sold on dark web markets for under $10, registered freely on hosting plans, and routinely phished from small business owners who receive fake hosting renewal emails. The entry bar is effectively zero. The exit is root on a server with hundreds of victims.

Friday afternoon is the highest-risk window for exploitation of this class of vulnerability. Security teams are lighter on weekends. Monitoring gaps open. Automated attackers operate continuously regardless of business hours, and they have been scanning for this flaw since CISA's alert on May 26. Every hour between now and a completed patch is an hour of active scan exposure.

The NGINX Rift CVE-2026-42945 unauthenticated RCE vulnerability disclosed two weeks ago demonstrated that web server infrastructure is under sustained targeted research by attackers seeking mass-exploitation opportunities. CVE-2026-48172 confirms the pattern: web server management layers, particularly in shared hosting stacks, are a high-return attack surface because a single exploit event yields access to hundreds of victims simultaneously.

For hosting providers: your CISA deadline is today. For businesses running their own cPanel/WHM stacks: the same urgency applies regardless of federal status. For websites on shared hosting: contact your provider, confirm they have patched, and rotate your database credentials regardless of whether they confirm exploitation.

The remediation is straightforward. Update one plugin. The cost of not doing it before the weekend is measured in every tenant on every unpatched server.

The bottom line

LiteSpeed cPanel plugin privilege escalation CVE-2026-48172 is a CVSS 10.0 maximum-severity flaw that converts any tenant-level cPanel account into full root control of a shared hosting server. Three key takeaways: first, the CISA federal remediation deadline is today, hosting operators still running plugin versions 2.3 through 2.4.4 are in active violation and under active scan. Second, the blast radius is a full server, one exploited account exposes every co-hosted tenant's databases, credentials, and files. Third, the remediation is a single command or package update, run it now, or uninstall the plugin entirely as an immediate mitigation. Audit your logs for the redisAble pattern before end of business today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2026-48172?

CVE-2026-48172 is a CVSS 10.0 privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. Any authenticated cPanel user can exploit the lsws.redisAble function via the JSON API to execute arbitrary scripts with root privileges on the server. CISA added it to its Known Exploited Vulnerabilities catalog on May 26, 2026 with a federal remediation deadline of May 29, 2026.

How does the LiteSpeed cPanel plugin privilege escalation work?

The plugin's lsws.redisAble function manages Redis toggle operations for cPanel tenant users via the JSON API. Due to incorrect privilege assignment (CWE-266), the function executes with root-level privileges belonging to the LiteSpeed Web Server process. An attacker sends a crafted HTTP request containing cpanel_jsonapi_func=redisAble and injects arbitrary shell commands into the function's input parameters. The server executes those commands as root without further exploitation.

Which versions of the LiteSpeed cPanel plugin are affected by CVE-2026-48172?

LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4 are vulnerable. The vulnerability is patched in version 2.4.5, and LiteSpeed recommends upgrading to version 2.4.7, bundled with WHM Plugin v5.3.1.0. The LiteSpeed WHM Plugin itself is not directly affected. If you cannot upgrade immediately, uninstalling the cPanel user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall is a valid temporary mitigation.

How do I detect if my server was exploited via CVE-2026-48172?

Run: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. Any output means exploitation was attempted. If results are found, check for unauthorized root cron jobs via crontab -u root -l, inspect /root/.ssh/authorized_keys for unknown keys, scan /tmp and /var/tmp for executable files, and search web directories for webshells using find /home -name "*.php" -newer /etc/passwd.

Can I uninstall the LiteSpeed cPanel plugin instead of patching?

Yes. Running /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall removes the vulnerable plugin immediately and eliminates the CVE-2026-48172 attack vector. LiteSpeed Web Server continues to operate normally without the cPanel user-end plugin. This is a valid temporary mitigation until you can schedule a full WHM Plugin v5.3.1.0 upgrade.

Does CVE-2026-48172 affect WordPress sites on cPanel hosting?

Every website hosted on a vulnerable shared server is exposed regardless of the content management system. The vulnerability is in the server management layer, not WordPress. An attacker who gains root access via CVE-2026-48172 can read every tenant's wp-config.php file, extract database credentials, dump customer databases, and inject JavaScript into every website served by the server without interacting with WordPress or any application layer at all.

Is shared hosting more at risk than dedicated or VPS hosting?

Shared hosting significantly amplifies the risk. On a shared server, one compromised low-privilege cPanel account exposes every other customer's web files, databases, email, and credentials hosted on that same physical or virtual machine. Dedicated servers and VPS instances isolate each customer on separate environments, meaning CVE-2026-48172 can only reach that single environment. The multi-tenant shared hosting blast radius is what makes this CVSS 10.0 flaw particularly dangerous.

What should hosting providers do right now for CVE-2026-48172?

Update the LiteSpeed WHM Plugin to v5.3.1.0 on all managed servers immediately. Audit every server's access logs for the cpanel_jsonapi_func=redisAble pattern. If exploitation is found, treat it as a full server compromise: check for backdoors, rotate all tenant credentials, and assess regulatory notification obligations for affected customer data. Notify customers on compromised servers to rotate their database passwords, application credentials, and email passwords.

Sources & references

  1. CISA, Known Exploited Vulnerabilities Catalog: CVE-2026-48172
  2. The Hacker News, LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
  3. SecurityWeek, CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
  4. CyCognito, Emerging Threat: CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation to Root
  5. SC Media, CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.