LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access
Cybersecurity NewsArchived May 22, 2026✓ Full text saved
LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers. The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5. 0‑Day in LiteSpeed cPanel […] The post LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access
By Guru Baran
May 22, 2026
LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers.
The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5.
0‑Day in LiteSpeed cPanel Plugin Enables Root
According to LiteSpeed’s advisory, the issue resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
Because exploitation only requires access to a valid cPanel user, a malicious tenant or an already-compromised shared hosting account can pivot to full server takeover.
LiteSpeed confirms the vulnerability has been exploited in the wild, making it a true 0‑day at the time of discovery.
The flaw impacts all deployments running the vulnerable user-end plugin between versions v2.3 and v2.4.4, while the WHM plugin itself is not directly affected. LiteSpeed has issued a fix in cPanel plugin v2.4.5 and later bundled releases, and operators are urged to move to the latest builds without delay.
Detection and Immediate Mitigations
Administrators can quickly check for exploit attempts by searching cPanel logs for calls to the vulnerable function:
bashgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
If the command returns no results, there is currently no evidence of exploitation on that server; any hits should be investigated by validating the source IPs, blocking suspicious addresses, and reviewing system logs for post-compromise activity.
For those unable to patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as a containment measure:
bash/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
LiteSpeed strongly advises upgrading to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7) or higher, which includes the fix for CVE‑2026‑48172 and additional hardening from a broader security review.
In parallel, cPanel has pushed an automated removal of the vulnerable plugin via its May 19, 2026, security update, and instructs customers to force an update with:
bash/scripts/upcp --force
Following the initial report from security researcher David Strydom on May 19, 2026, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.
LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on the same day, applied for CVE‑2026‑48172 on May 20, and completed a full security review, shipping cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21.
While additional issues were discovered and patched during this review, there are no current reports of those secondary vulnerabilities being exploited in the wild.
For hosting providers and server administrators, the guidance is clear: assume potential compromise on unpatched systems, update both cPanel and LiteSpeed components immediately, and review logs for suspicious activity originating from cPanel user contexts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware
Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper
First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
FreePBX Vulnerability Allow Attackers to Gain Access to User Portals
CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository
Latest News
Cyber Security News
Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs
Cyber Security News
CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks
Cyber Security News
Android Malware Silently Subscribes Victims to Premium Services Without Consent
Cyber Security News
Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University
Cyber Security
Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices