[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdC-sQdZRw5foMdsIl5JZTWN8PUnXtv_c0VgloxLHpkg":3},{"article":4,"iocs":37},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"eea41f24-c600-4b9b-b9cd-81c695a74e93","CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Escalation","cve-2026-48172-critical-litespeed-cpanel-plugin-flaw-exploited-for-privilege-esc-ac3c1a","LiteSpeed User-End cPanel Plugin privilege-escalation vulnerability reportedly exploited in the wild, with potential root-level impact on affected hosting servers.","A critical privilege-escalation vulnerability, CVE-2026-48172, affects the LiteSpeed User-End cPanel Plugin before version 2.4.5. The vulnerability is being actively exploited, potentially allowing a lower-privileged cPanel user to gain root-level control on affected servers, especially in shared hosting environments.","Critical privilege-escalation vulnerability in LiteSpeed cPanel Plugin (CVE-2026-48172) is actively exploited.","⚠ Active Exploitation - Privilege Escalation CVE CVE-2026-48172 CVSS 10.0 Critical Type Privilege Escalation Product LiteSpeed cPanel Plugin CVE-2026-48172 LiteSpeed User-End cPanel Plugin privilege-escalation vulnerability reportedly exploited in the wild, with potential root-level impact on affected hosting servers. Vulnerability Overview CVE-2026-48172 is a critical privilege-escalation vulnerability affecting the LiteSpeed User-End cPanel Plugin before version 2.4.5. According to NVD, the flaw can allow privilege escalation, possibly to root, and was exploited in the wild in May 2026. NVD also notes that the issue is related to mishandling of Redis enable and disable features [NVD]. The vulnerability is especially serious for shared-hosting environments because the affected component is the user-facing cPanel plugin, not just an administrator-only control surface. Security reporting around the issue describes the risk as a path from a lower-privileged cPanel user context toward root-level control on affected servers [VulDB]. LiteSpeed’s release log shows multiple security-focused updates on May 20 and May 21, 2026, including the reintroduction and hardening of Redis features in cPanel plugin v2.4.6 and additional security hardening in cPanel User-End Plugin v2.4.7 bundled with WHM Plugin v5.3.1.0 [LiteSpeed Release Log]. CVE IDCVE-2026-48172 CVSS Score10.0 - Critical Vulnerability TypePrivilege Escalation Attack SurfacecPanel User-End Plugin Affected ProductLiteSpeed User-End cPanel Plugin Affected VersionsBefore 2.4.5 Exploitation StatusExploited in the Wild Primary Feature AreaRedis Enable \u002F Disable Potential ImpactRoot-Level Compromise Minimum Fix Noted by NVD2.4.7 Recommended WHM BundleWHM Plugin 5.3.1.0 Disclosure WindowMay 2026 Technical Details The issue is tied to LiteSpeed’s cPanel-side Redis handling. NVD describes exploitation detection around requests containing cpanel_jsonapi_func=redisAble, and states that the vulnerability stems from mishandling of Redis enable and disable features [NVD]. The practical concern is that a web-hosting server running the vulnerable User-End cPanel Plugin may allow a lower-privileged cPanel user or compromised cPanel account to escalate privileges. VulDB classifies the issue as a privilege assignment vulnerability and maps the weakness to CWE-266, describing impact across confidentiality, integrity, and availability [VulDB]. Why Hosting Providers Should Prioritize This This is not a normal single-site web application bug. On shared or reseller hosting infrastructure, one compromised cPanel account can become a wider server-risk event if the vulnerable LiteSpeed User-End plugin is present. Any confirmed hit should be treated as potential server compromise, not just plugin abuse. Affected Versions NVD lists the affected product as LiteSpeed User-End cPanel Plugin before 2.4.5. It also notes that the LiteSpeed WHM Plugin, described as the parent plugin, is unaffected by the CVE itself. However, LiteSpeed’s later release log shows additional hardening in the WHM Plugin and cPanel plugin bundle, with WHM Plugin v5.3.1.0 bundled with cPanel User-End Plugin v2.4.7 on May 21, 2026 [NVD] [LiteSpeed Release Log]. Component Version Status Notes LiteSpeed User-End cPanel Plugin Before 2.4.5 Affected Listed by NVD as vulnerable to privilege escalation. cPanel User-End Plugin 2.4.5 Initial Fix Level NVD describes versions before 2.4.5 as affected. cPanel User-End Plugin 2.4.6 Hardened LiteSpeed release log says Redis features were reintroduced with additional hardening. cPanel User-End Plugin 2.4.7 Recommended Minimum NVD notes 2.4.7 as the recommended minimum version. WHM Plugin 5.3.1.0 Updated Bundle Bundled with cPanel User-End Plugin v2.4.7. cPanel User-End Plugin \u003C 2.4.5 cPanel Plugin 2.4.5 cPanel Plugin 2.4.6 cPanel Plugin 2.4.7 WHM Plugin 5.3.1.0 Detection Guidance NVD provides a direct log-search approach for identifying potential exploitation attempts. Administrators can scan cPanel-related logs for the Redis API function indicator using the following Bash command [NVD]: grep -rE \"cpanel_jsonapi_func=redisAble\" \u002Fvar\u002Fcpanel\u002Flogs \u002Fusr\u002Flocal\u002Fcpanel\u002Flogs\u002F 2>\u002Fdev\u002Fnull Interpreting Results If the command returns no output, NVD indicates that the server has not been hit by exploitation matching this indicator. If output appears, administrators should examine the listed IP addresses, determine whether they are valid, block unauthorized sources, and review system logs for follow-on activity from those IPs. Potential Impact Successful exploitation can result in privilege escalation on the affected server, potentially reaching root-level access. In a hosting environment, that can create a high-impact compromise scenario involving customer data exposure, service tampering, malware deployment, persistence, or lateral movement from a compromised hosting node. Impact Area Risk Server Control Possible root-level compromise on affected systems. Customer Sites Potential tampering, data theft, defacement, or malware staging across hosted accounts. Credentials Exposure risk for configuration files, database credentials, API keys, and local secrets. Persistence Attackers may attempt to create backdoors, cron jobs, webshells, or additional privileged users. Recommendations Upgrade immediately. Move to at least cPanel User-End Plugin v2.4.7 and WHM Plugin v5.3.1.0, which LiteSpeed lists as the May 21, 2026 security release bundle [LiteSpeed Release Log]. Search for exploitation indicators. Run the NVD-provided grep command across the cPanel log directories to identify possible redisAble exploitation attempts. grep -rE \"cpanel_jsonapi_func=redisAble\" \u002Fvar\u002Fcpanel\u002Flogs \u002Fusr\u002Flocal\u002Fcpanel\u002Flogs\u002F 2>\u002Fdev\u002Fnull Investigate any matching IP addresses. If the detection command returns output, validate the source IPs, block unauthorized sources, and review system logs for post-exploitation activity. Review server integrity. Check for unexpected privileged users, suspicious cron entries, modified binaries, unfamiliar SSH keys, new webshells, and unusual outbound connections. Rotate exposed secrets if compromise is suspected. Treat hosting-panel credentials, database passwords, API keys, and local service tokens as potentially exposed if exploitation is confirmed. Limit cPanel and WHM exposure. Restrict administrative interfaces to trusted IP ranges, VPN, or Zero Trust access where possible. Context LiteSpeed’s May 2026 control-panel plugin updates show a rapid sequence of security changes around the affected cPanel and WHM plugin bundle. On May 20, LiteSpeed released WHM Plugin v5.3.0.0 bundled with cPanel plugin v2.4.6, noting that Redis features were reintroduced with additional security hardening. On May 21, LiteSpeed released WHM Plugin v5.3.1.0 bundled with cPanel User-End Plugin v2.4.7, adding multiple additional security hardening items including adminbin caller-trust validation, safer command execution handling, and defaulting cPanel plugin auto-install to off on fresh installations [LiteSpeed Release Log]. Because NVD describes CVE-2026-48172 as exploited in the wild and potentially leading to root-level privilege escalation, hosting providers and server administrators should treat vulnerable LiteSpeed User-End cPanel Plugin deployments as urgent patch-and-hunt priorities rather than routine maintenance [NVD]. Bottom Line CVE-2026-48172 is a critical LiteSpeed User-End cPanel Plugin privilege-escalation issue with reported in-the-wild exploitation. Any server running affected plugin versions should be upgraded immediately, checked for redisAble indicators in cPanel logs, and reviewed for signs of root-level compromise.","https:\u002F\u002Fdarkwebinformer.com\u002Fcve-2026-48172-critical-litespeed-cpanel-plugin-flaw-exploited-for-privilege-escalation\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002Flitespeed.png","2026-05-22T17:35:17+00:00","2026-05-22T18:00:14.55+00:00",9,[18,21,24,26],{"name":19,"type":20},"LiteSpeed User-End cPanel Plugin","product",{"name":22,"type":23},"LiteSpeed","vendor",{"name":25,"type":20},"cPanel",{"name":27,"type":28},"Redis","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":29,"icon":31,"name":32,"slug":33},null,"Vulnerabilities","vulnerabilities",[35],{"category":36},{"id":29,"icon":31,"name":32,"slug":33},[38],{"type":39,"value":40,"context":41},"cve","CVE-2026-48172","LiteSpeed User-End cPanel Plugin privilege-escalation vulnerability"]