A critical security flaw in the LiteSpeed User-End cPanel Plugin is being actively exploited by attackers, raising serious concerns for server administrators and hosting providers worldwide. The vulnerability, tracked as CVE-2026-48172, carries the highest possible CVSS score of 10.0, making it one of the most dangerous security issues discovered this year.
The flaw allows attackers to execute arbitrary scripts with root privileges, potentially giving them full control over affected servers. Security experts warn that unpatched systems could be at risk of malware infections, ransomware deployment, data theft, and complete server compromise.
According to LiteSpeed Technologies, the vulnerability affects the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. The company confirmed that the issue has already been observed in active attacks in the wild.
CVE-2026-48172 is an incorrect privilege assignment vulnerability in the LiteSpeed User-End cPanel Plugin. Attackers can abuse a vulnerable function known as lsws.redisAble to run malicious scripts as the root user.
LiteSpeed explained that any cPanel account, including compromised or low-privileged accounts, could exploit the flaw to gain elevated permissions on the server.
The company stated:
“Any cPanel user may exploit the lsws.redisAble function to execute arbitrary scripts as root.”
Because the exploit requires only a cPanel account, threat actors may target shared hosting environments where multiple users operate on the same server. Once exploited, attackers could gain complete administrative control and perform malicious activities without restrictions.
LiteSpeed confirmed that attackers are already exploiting the vulnerability in real-world attacks. Although the company did not release detailed technical information about the attacks, the warning strongly indicates that cybercriminals are actively scanning the internet for vulnerable systems.
Security researchers believe attackers may use the flaw to:
- Install malware
- Deploy ransomware
- Create hidden backdoors
- Steal website data
- Hijack hosting servers
- Launch botnet attacks
- Maintain persistent root access
The vulnerability was discovered and responsibly reported by security researcher David Strydom.
The security flaw impacts the following LiteSpeed User-End cPanel Plugin versions:
- Version 2.3
- All releases up to 2.4.4
However, LiteSpeed confirmed that its WHM plugin is not directly affected by the vulnerability.
The issue has been patched in version 2.4.5 and further security improvements were later included in version 2.4.7.
LiteSpeed has shared an Indicator of Compromise (IoC) command that administrators can use to detect possible exploitation attempts on their servers.
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullIf the command returns no output, the server is likely safe from known exploitation attempts related to this vulnerability.
However, if results appear, administrators should immediately review the listed IP addresses and investigate suspicious activity. Any unknown or malicious IP addresses should be blocked immediately to prevent further attacks.
Following the discovery of CVE-2026-48172, LiteSpeed conducted a broader security review of both its cPanel and WHM plugins.
As a result, the company identified and patched additional potential attack vectors. These fixes were included in:
- LiteSpeed WHM Plugin version 5.3.1.0
- LiteSpeed cPanel Plugin version 2.4.7
LiteSpeed strongly recommends all users upgrade to the latest available versions as soon as possible.
Security experts advise administrators to take immediate action to secure their systems.
Users should update to:
- LiteSpeed WHM Plugin 5.3.1.0
- LiteSpeed cPanel Plugin 2.4.7 or later
Updating to the latest versions is the most effective way to protect servers from exploitation.
If immediate patching is not possible, LiteSpeed recommends uninstalling the vulnerable user-end plugin using the following command:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallThis temporary mitigation can help reduce the attack surface until proper updates are applied.
Administrators should continuously monitor:
- cPanel logs
- Authentication activity
- Unexpected root-level processes
- Unauthorized scripts
- Suspicious outbound traffic
Early detection can help minimize damage from successful attacks.
The discovery of CVE-2026-48172 comes shortly after another major cPanel vulnerability, CVE-2026-41940, was found under active exploitation.
That flaw reportedly allowed threat actors to deploy Mirai botnet variants and a ransomware strain known as “Sorry.” The increasing number of attacks targeting hosting infrastructure highlights how cybercriminals are focusing heavily on web hosting servers and management panels.
Because cPanel powers millions of websites globally, vulnerabilities affecting its ecosystem can have widespread consequences for businesses, hosting providers, and website owners.
A root-level vulnerability with a CVSS score of 10.0 is considered extremely dangerous because it can lead to full system compromise. In shared hosting environments, attackers may potentially impact multiple websites and users from a single exploited account.
Organizations running LiteSpeed servers should treat this issue as a top-priority security emergency. Delayed patching could expose servers to ransomware infections, website defacement, credential theft, and long-term persistence by attackers.
With active exploitation already confirmed, cybersecurity professionals strongly recommend immediate upgrades, log analysis, and security monitoring to prevent compromise.
Interesting Article : New Microsoft Defender Vulnerabilities Allow Privilege Escalation Attacks