[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLJuA2U2ePaJr454z55ormQfatFqLPyJtN_N1EGlV1V0":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"c12c4c57-2414-41e7-b14c-3a49014837f9","LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root","litespeed-cpanel-plugin-cve-2026-48172-exploited-to-run-scripts-as-root-dd6625","A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. \"Any cPanel user (including an attacker or a compromised account) may","A critical vulnerability, CVE-2026-48172, in the LiteSpeed User-End cPanel Plugin is under active exploitation, allowing attackers to execute arbitrary scripts with root privileges. The vulnerability affects plugin versions 2.3 to 2.4.4 and has been addressed in version 2.4.5, with users advised to upgrade to version 5.3.1.0.","CVE-2026-48172, a maximum-severity flaw in LiteSpeed cPanel Plugin, is actively exploited to run scripts as root.","LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root Ravie LakshmananMay 23, 2026Vulnerability \u002F Web Security A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. \"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root,\" LiteSpeed said. The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4. LiteSpeed's WHM plugin is not impacted. The issue has been addressed in version 2.4.5. Security researcher David Strydom has been credited with discovering and reporting the flaw. LiteSpeed noted that the \"vulnerability is being actively exploited,\" but refrained from sharing additional details. It has provided the following indicator of compromise - grep -rE \"cpanel_jsonapi_func=redisAble\" \u002Fvar\u002Fcpanel\u002Flogs \u002Fusr\u002Flocal\u002Fcpanel\u002Flogs\u002F 2>\u002Fdev\u002Fnull If running the aforementioned \"grep\" command does not produce any output, the server is not affected. However, if there is any output, users are advised to examine the IP addresses in the list and determine if they are legitimate, and if not, block them. Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 as part of WHM plugin version 5.3.1.0. Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability. If immediate patching is not an option, it's recommended to remove the user-end plugin by running the below command - \u002Fusr\u002Flocal\u002Flsws\u002Fadmin\u002Fmisc\u002Flscmctl cpanelplugin --uninstall The development comes weeks after a critical cPanel vulnerability (CVE-2026-41940, CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry. Update The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on May 26, 2026, added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes for the flaw by May 29, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cPanel, cybersecurity, LiteSpeed, privilege escalation, ransomware, Vulnerability, WHM ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\u002FCD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Flitespeed-cpanel-plugin-cve-2026-48172.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjM0W1UqsbcZ-8IV_n8ov3V24MQ74VaKe3auGFWNunDUfubEBeKEGREuFjC9-i7H_fLfSwFQQ5wqe8bhVWvAUVC_8U5AQg1c1Qbe-M7bSjuWCwcjTRrc2Du7L0Tm-NKO7ErhPUTR7YS6b1vkpmbYS1VaClWUGOvGe4cxv-jHkQFZMXbSDLfBiF7FFwd7Nfe\u002Fs1600\u002Flightspeed.png","2026-05-23T07:35:13+00:00","2026-05-23T10:00:17.525949+00:00",9,[18,21,24],{"name":19,"type":20},"LiteSpeed User-End cPanel Plugin","product",{"name":22,"type":23},"LiteSpeed","vendor",{"name":25,"type":20},"cPanel","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":26,"icon":28,"name":29,"slug":30},null,"Vulnerabilities","vulnerabilities",[32,37],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":38},{"id":26,"icon":28,"name":29,"slug":30},[40],{"type":41,"value":42,"context":43},"cve","CVE-2026-48172","LiteSpeed cPanel Plugin vulnerability exploited to run scripts as root"]