A serious security flaw affecting the LiteSpeed User-End cPanel Plugin has surfaced, raising considerable concerns within the cybersecurity community. This vulnerability, designated as CVE-2026-48172 and scoring a maximum CVSS score of 10.0, relates to a situation of improper privilege assignment. Attackers can exploit this weakness to execute arbitrary scripts with elevated permissions, posing a grave risk to affected systems.
According to responses from LiteSpeed, the issue arises when any cPanel user, which might include attackers or other compromised accounts, uses the lsws.redisAble function. This allows for executing arbitrary scripts as if they were the root user, escalating the potential impact of an attack. The vulnerability is not limited to a specific subset of users; anyone with access can theoretically exploit this, emphasizing the critical nature of the threat.
The scope of the issue includes all plugin versions between 2.3 and 2.4.4, while it should be noted that LiteSpeed’s WHM plugin remains unaffected. To combat this vulnerability, LiteSpeed has introduced a patched version, 2.4.5. Security researcher David Strydom has been acknowledged for discovering and reporting the flaw, highlighting the importance of community vigilance in identifying security risks.
LiteSpeed has confirmed that the vulnerability is actively being exploited, although additional specifics have not been disclosed to the public. To help users identify if their systems may have been compromised, LiteSpeed provided a particular indicator of compromise. The recommended command to check is:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullIf executing this command generates no output, it indicates that the server remains unaffected. However, should any output appear, users are urged to scrutinize the IP addresses listed and verify their legitimacy. If they are found to be unauthorized, blocking these addresses becomes a necessary precaution.
In response to the growing concerns about its cPanel and WHM plugins following the vulnerability’s exposure, LiteSpeed has undertaken a comprehensive security review. This evaluation revealed additional potential attack vectors, which have since been patched with the release of cPanel plugin version 2.4.7, part of WHM plugin version 5.3.1.0.
It is strongly encouraged that users upgrade to the LiteSpeed WHM Plugin version 5.3.1.0, which incorporates the patched cPanel plugin v2.4.7 or higher to effectively address the vulnerability. For those unable to perform immediate upgrades, LiteSpeed’s recommendation is to uninstall the user-end plugin using the following command:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallThe emergence of this vulnerability follows closely on the heels of another critical security issue involving cPanel, documented as CVE-2026-41940, which carries a CVSS score of 9.8. This prior vulnerability was confirmed to be actively exploited by unidentified threat actors for deploying variants of the Mirai botnet as well as a ransomware strain known as Sorry. This pattern of significant security breaches underscores the precarious state of cybersecurity for cPanel users and the urgency of prompt action in the face of potential threats.
In summary, the current vulnerability affecting the LiteSpeed User-End cPanel Plugin exemplifies the ongoing security challenges in managing web hosting platforms. Organizations relying on these plugins are urged to act decisively—implementing the latest patches or removing vulnerable components to ensure their systems remain secure against exploitation. Continuous vigilance and a proactive approach to security can significantly mitigate risks associated with such vulnerabilities.