LiteSpeed cPanel privilege escalation (CVE-2026-48172) [PoC]

Actively exploited in the wild - CVE-2026-48172 is a critical privilege escalation flaw in the LiteSpeed User-End cPanel Plugin before version 2.4.5 that allows attackers to possibly gain root access on the server. Exploitation was confirmed in May 2026; update to version 2.4.7 immediately.

Overview

CVE-2026-48172 resides in the Redis enable/disable feature of the LiteSpeed User-End cPanel plugin. The software mishandles these operations, allowing an unauthenticated attacker to escalate privileges up to root. This flaw is rated CRITICAL with a CVSS score of 10.0, as it requires no authentication, no user interaction, and can be exploited over the network with low complexity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild as of May 2026. Despite its severity, the Exploit Prediction Scoring System (EPSS) currently gives a 0.0% probability of exploitation in the next 30 days, suggesting that attacks are targeted rather than widespread at this time.

Detection

The recommended detection method uses a command line check in Bash:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

• No output means the server has not been hit with exploitation of this vulnerability.
• If output is present, examine the IP addresses in the list. Determine if they are valid IP addresses; if not, block them. Examine system logs for activity from these detected IP addresses to assess damage.

Affected Versions

All versions of the LiteSpeed User-End cPanel Plugin before 2.4.5 are vulnerable. The recommended minimum version is 2.4.7.

Remediation

1. Update immediately: Upgrade the LiteSpeed User-End cPanel Plugin to version 2.4.7 or later.
2. Check for compromise: Run the detection command above on all cPanel servers. If indicators are found, investigate the affected systems for unauthorized access or backdoors.
3. Block malicious IPs: If exploitation is detected, block the offending IP addresses at the firewall level.

Security Insight

This vulnerability illustrates a recurring pattern in web hosting control panels - plugin code that manages third-party services (like Redis) is often written with insufficient privilege separation. The ability for an unauthenticated user to escalate directly to root from a feature toggle underscores how critical it is to apply the principle of least privilege to all plugin code, not just core panel functionality. Vendors that integrate external services through plugins should audit these components with the same rigor applied to their primary software. For related cybersecurity news and data breach reports, visit security news and breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs