Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Privilege Escalation in LiteSpeed User-End cPanel Plugin redisAble Function

IdentifiersCVE-2026-48172CWE-266· Incorrect Privilege Assignment

CVE-2026-48172 is a critical privilege-escalation vulnerability in the LiteSpeed User-End cPanel Plugin affecting versions 2.3 through 2.4.4, and more generally versions before 2.4.5. The flaw is associated with incorrect privilege assignment and improper handling of the plugin’s Redis enable/disable functionality, exposed through the lsws.redisAble / redisAble JSON API path available to authenticated cPanel users. Reporting also describes the issue as involving a UNIX symlink following weakness in the Redis feature handling path. A low-privileged authenticated cPanel user, including a compromised shared-hosting tenant account or an attacker with FTP or web-shell access to such an account, can abuse this functionality to cause arbitrary scripts to execute with elevated privileges, potentially as root. The issue has been confirmed as actively exploited in the wild in May 2026.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in full privilege escalation from a normal cPanel user context to root on the underlying Linux hosting server. This enables complete compromise of confidentiality, integrity, and availability of the host and all co-located tenants in shared-hosting environments. Reported post-exploitation activity includes arbitrary script execution as root, full administrative control of the server, malware deployment, persistence establishment, configuration tampering, access to other customers’ data, and observed use in the wild to deploy Mirai botnet variants and the Sorry ransomware strain.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, uninstall the user-end cPanel plugin to remove exposure. LiteSpeed provided the command /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall for this purpose. Restrict access to cPanel/WHM interfaces by source IP where feasible, especially in shared-hosting environments. Hunt for exploitation by searching cPanel logs for redisAble API calls, e.g. grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. If matches are found, investigate the source IPs, block suspicious addresses, review system logs for follow-on activity, and assess for root-level persistence such as unexpected privileged users, cron jobs, SSH keys, modified binaries, web shells, and unusual outbound connections.

Remediation

Patch, then assume compromise.

Upgrade the LiteSpeed User-End cPanel Plugin to a fixed release immediately. The vulnerability is fixed in version 2.4.5, and the vendor-recommended minimum version is 2.4.7. Multiple sources also recommend upgrading to LiteSpeed WHM Plugin 5.3.1.0 bundled with cPanel plugin 2.4.7 or later as the preferred hardened release. Verify the actual deployed plugin version on each host rather than relying only on inventory records, and review affected systems for signs of compromise after patching.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Litespeed TechnologiesUser-End Cpanel Pluginapplication
LitespeedtechLitespeed Cpanel Pluginapplication
LitespeedtechLitespeed Whm Pluginapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

106 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

106 SOURCESView more in app
bleeping computerNews
Jun 16, 2026
CISA warns of another cPanel plugin flaw exploited in attacks

A high-severity privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin that allows attackers with FTP or web shell access to gain root privileges on shared hosting servers running CloudLinux/CageFS.

Read more
security affairsNews
May 28, 2026
U.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog

A critical privilege escalation vulnerability in the LiteSpeed User-End cPanel plugin caused by improper handling of Redis enable/disable functions, allowing any cPanel user to execute arbitrary scripts as root on affected servers.

Read more
cyberthroneNews
May 28, 2026
CVE-2026-48172 - LiteSpeed User-End cPanel Plugin Privilege Escalation - TheCyberThrone

A maximum-severity privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin caused by improper handling of Redis on/off features via the plugin’s JSON API, allowing any authenticated cPanel user to escalate to root and take full administrative control of the server.

Read more
scworldNews
May 27, 2026
CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list | news | SC Media

A critical privilege escalation vulnerability in the LiteSpeed cPanel plugin that can allow a compromised cPanel account to gain root access to the entire server.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity93

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48172
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48172
MITRE CWE · CWE-266
Incorrect Privilege Assignment
Vendor Advisory
blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin
Release Notes
litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48172
Product
litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel