LiteSpeed cPanel Plugin Flaw Enables Privilege Escalation to Root
A privilege-escalation vulnerability tracked as CVE-2026-48172 affects the LiteSpeed User-End cPanel Plugin in versions before 2.4.5 and was reportedly exploited in the wild. The flaw is tied to improper handling of Redis enable/disable functionality and could allow an attacker to escalate privileges, potentially reaching root access. The related LiteSpeed WHM Plugin was identified as the parent plugin but was not affected.
In response, cPanel said the LiteSpeed plugin was automatically removed during a nightly update, indicating active mitigation for affected environments. Defenders were advised to review cPanel log directories for requests containing:
cpanel_jsonapi_func=redisAble
and to investigate associated IP addresses and broader system logs to determine whether exploitation attempts or successful compromise occurred.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-48172 to KEV catalog
CISA added CVE-2026-48172, a LiteSpeed cPanel Plugin privilege-escalation flaw, to its Known Exploited Vulnerabilities catalog on May 26, 2026, citing active exploitation. The agency set a remediation deadline of May 29, 2026 and urged immediate patching or mitigation.
LiteSpeed releases patched plugin updates for CVE-2026-48172
LiteSpeed issued security-focused updates in May 2026 for the affected software, including LiteSpeed User-End cPanel Plugin versions 2.4.6 and 2.4.7 and WHM Plugin 5.3.1.0. Reporting identified 2.4.7 as the recommended minimum version for addressing CVE-2026-48172.
Vulnerability affects LiteSpeed User-End cPanel Plugin before 2.4.5
Public reporting identified CVE-2026-48172 as a privilege-escalation vulnerability affecting LiteSpeed User-End cPanel Plugin versions before 2.4.5, while noting the LiteSpeed WHM Plugin was not affected. Detection guidance advised reviewing cPanel logs for requests containing "cpanel_jsonapi_func=redisAble" and checking related IPs and system logs.
cPanel nightly update automatically removes LiteSpeed plugin
cPanel published a security advisory stating that the LiteSpeed plugin was automatically removed during the nightly update on May 19, 2026. This indicates a mitigation action taken in response to the security issue.
LiteSpeed cPanel plugin reportedly exploited in the wild
The LiteSpeed User-End cPanel Plugin privilege-escalation flaw was reportedly exploited in the wild in May 2026. The issue involved improper handling of Redis enable/disable functionality and could allow privilege escalation, potentially to root.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Security: LiteSpeed cPanel Plugin - May 31, 2026 - cPanel
support.cpanel.net
Open sourceU.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCVE-2026-48172 - LiteSpeed User-End cPanel Plugin Privilege Escalation - TheCyberThrone
thecyberthrone.in
Open sourceCISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list | news | SC Media
scworld.com
Open sourceCVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Escalation
darkwebinformer.com
Open sourceCVE-2026-48172 - LiteSpeed cPanel Plugin Privilege Escalation
cvefeed.io
Open sourceSecurity Update for LiteSpeed cPanel Plugin ⋆ LiteSpeed Blog
blog.litespeedtech.com
Open sourceSecurity: LiteSpeed plugin automatically removed during nightly update - May 19, 2026 - cPanel
support.cpanel.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LiteSpeed cPanel Plugin Flaw Lets Shared Hosting Users Escalate to Root
LiteSpeed disclosed and patched **CVE-2026-54420**, a high-severity privilege-escalation flaw in the LiteSpeed cPanel plugin that can let a low-privileged user gain **root** access on shared hosting servers. The bug affects plugin versions before **2.4.8** and stems from improper handling of user-supplied symlinks, a weakness classified as **`CWE-61`**. The issue is especially dangerous on **CloudLinux/CageFS** shared hosting deployments, where a single compromised tenant with FTP or web-shell access could potentially jeopardize other hosted sites on the same server. The vulnerability has been reported as **actively exploited in the wild**, with exploitation observed in May 2026, and carries a **CVSS 8.5** severity rating. LiteSpeed said the fix is included in cPanel plugin version **2.4.8**, bundled with **WHM Plugin v5.3.2.1**, and urged administrators to upgrade immediately or temporarily remove the user-end plugin if patching is not yet possible. Defenders were also advised to review cPanel logs for suspicious activity, including repeated requests to certificate-related endpoints from a single IP address.
Jun 19, 2026
Critical cPanel & WHM Auth Bypass Exploited for Server Takeover
WebPros cPanel disclosed and patched a critical authentication bypass flaw in **cPanel & WHM** and **WP Squared**, now tracked as `CVE-2026-41940` with a **CVSS 9.8** score. The bug affects all supported cPanel & WHM versions after `11.40` prior to fixed releases, and reporting indicates some unsupported versions are likely vulnerable as well. Researchers said the issue stems from improper session handling tied to a **CRLF injection** in the login flow, allowing unauthenticated remote attackers to poison session data and gain administrator or root-level access to exposed hosting control panels. cPanel released emergency updates across supported branches, published detection guidance, and advised administrators to force updates, restart `cpsrvd`, and investigate session files and logs for signs of compromise. Multiple sources reported the flaw was **actively exploited in the wild** before patches were issued, with hosting providers such as **Namecheap** and **KnownHost** taking emergency action by restricting access to management ports like `2083` and `2087` while deploying fixes. **CISA** added `CVE-2026-41940` to its **Known Exploited Vulnerabilities** catalog and ordered federal agencies to remediate quickly, while national cyber agencies in Canada, Austria, and Belgium also warned of the risk. Public technical analysis, proof-of-concept code, and exploit tooling released after disclosure increased the likelihood of broad opportunistic attacks against internet-exposed cPanel systems, which researchers estimated number in the hundreds of thousands to more than a million, raising the risk of website compromise, credential theft, ransomware, phishing, and multi-tenant hosting breaches.
Jun 12, 2026
Critical LiteSpeed Cache Flaw Lets Attackers Create WordPress Admin Accounts
A **critical vulnerability** in the LiteSpeed Cache plugin for WordPress can let attackers create new user accounts — including **administrator** accounts — on affected sites, potentially leading to full site takeover. The issue affects **unpatched versions prior to `6.4`** when the plugin is deployed on **Linux-based systems**; based on available information, the flaw is **not currently believed to be exploitable on Windows-based deployments**. The plugin developer has released a fix in **version `6.4`**, and authorities urged organizations and individuals using WordPress with LiteSpeed Cache to update immediately because **no alternative mitigations are available**. While exploitation of this specific flaw had **not been observed** at the time of reporting, prior vulnerabilities in the same product have been **widely exploited**, increasing the urgency of patching exposed sites.
Apr 27, 2026