LiteSpeed cPanel 0-Day Exploited for Server Plugin Gain

Attackers are actively exploiting a critical 0‑day privilege escalation vulnerability within LiteSpeed’s user-end cPanel plugin to gain root access on Linux hosting servers. LiteSpeed has disclosed and subsequently patched the flaw.

The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5.

0‑Day in LiteSpeed cPanel Plugin Enables Root

According to LiteSpeed’s advisory, the issue resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.

Because exploitation only requires access to a valid cPanel user, a malicious tenant or an already-compromised shared hosting account can pivot to full server takeover.

LiteSpeed confirms the vulnerability has been exploited in the wild, making it a true 0‑day at the time of discovery.

The flaw impacts all deployments running the vulnerable user-end plugin between versions v2.3 and v2.4.4, while the WHM plugin itself is not directly affected. LiteSpeed has issued a fix in cPanel plugin v2.4.5 and later bundled releases, and operators are urged to move to the latest builds without delay.

Detection and Immediate Mitigations

Administrators can quickly check for exploit attempts by searching cPanel logs for calls to the vulnerable function:

bashgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If the command returns no results, there is currently no evidence of exploitation on that server; any hits should be investigated by validating the source IPs, blocking suspicious addresses, and reviewing system logs for post-compromise activity.

For those unable to patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as a containment measure:

bash/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

LiteSpeed strongly advises upgrading to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7) or higher, which includes the fix for CVE‑2026‑48172 and additional hardening from a broader security review.

In parallel, cPanel has pushed an automated removal of the vulnerable plugin via its May 19, 2026, security update, and instructs customers to force an update with:

bash/scripts/upcp --force

Following the initial report from security researcher David Strydom on May 19, 2026, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.

LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on the same day, applied for CVE‑2026‑48172 on May 20, and completed a full security review, shipping cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21.

While additional issues were discovered and patched during this review, there are no current reports of those secondary vulnerabilities being exploited in the wild.

For hosting providers and server administrators, the guidance is clear: assume potential compromise on unpatched systems, update both cPanel and LiteSpeed components immediately, and review logs for suspicious activity originating from cPanel user contexts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.