CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers. The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5. 0‑Day in LiteSpeed cPanel […] The post LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access By Guru Baran May 22, 2026 LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers. The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5. 0‑Day in LiteSpeed cPanel Plugin Enables Root According to LiteSpeed’s advisory, the issue resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges. Because exploitation only requires access to a valid cPanel user, a malicious tenant or an already-compromised shared hosting account can pivot to full server takeover. LiteSpeed confirms the vulnerability has been exploited in the wild, making it a true 0‑day at the time of discovery. The flaw impacts all deployments running the vulnerable user-end plugin between versions v2.3 and v2.4.4, while the WHM plugin itself is not directly affected. LiteSpeed has issued a fix in cPanel plugin v2.4.5 and later bundled releases, and operators are urged to move to the latest builds without delay. Detection and Immediate Mitigations Administrators can quickly check for exploit attempts by searching cPanel logs for calls to the vulnerable function: bashgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null If the command returns no results, there is currently no evidence of exploitation on that server; any hits should be investigated by validating the source IPs, blocking suspicious addresses, and reviewing system logs for post-compromise activity. For those unable to patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as a containment measure: bash/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall LiteSpeed strongly advises upgrading to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7) or higher, which includes the fix for CVE‑2026‑48172 and additional hardening from a broader security review. In parallel, cPanel has pushed an automated removal of the vulnerable plugin via its May 19, 2026, security update, and instructs customers to force an update with: bash/scripts/upcp --force Following the initial report from security researcher David Strydom on May 19, 2026, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle. LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on the same day, applied for CVE‑2026‑48172 on May 20, and completed a full security review, shipping cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21. While additional issues were discovered and patched during this review, there are no current reports of those secondary vulnerabilities being exploited in the wild. For hosting providers and server administrators, the guidance is clear: assume potential compromise on unpatched systems, update both cPanel and LiteSpeed components immediately, and review logs for suspicious activity originating from cPanel user contexts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days FreePBX Vulnerability Allow Attackers to Gain Access to User Portals CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository Latest News Cyber Security News Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs Cyber Security News CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks Cyber Security News Android Malware Silently Subscribes Victims to Premium Services Without Consent Cyber Security News Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University Cyber Security Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗