CVE-2026-48172

What is the LiteSpeed cPanel Plugin?

LiteSpeed Web Server (LSWS) is a high-performance HTTP server used extensively by web hosting providers as a drop-in Apache replacement, commonly paired with cPanel/WHM control panels on shared hosting infrastructure. The LiteSpeed user-end cPanel plugin allows individual hosting customers to control LiteSpeed-specific features — such as enabling or disabling the LiteSpeed cache — from within their own cPanel account, without requiring host-administrator privileges. It is deployed on tens of thousands of shared hosting servers globally.

Overview

CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed user-end cPanel plugin. Any authenticated cPanel user — including unprivileged shared-hosting customers — can invoke the unguarded lsws.redisAble API endpoint to execute arbitrary scripts as root on the host server. CISA confirmed active exploitation before the patch was released and added the CVE to the KEV catalog on May 26, 2026, with a three-day remediation deadline of May 29 — one of the shortest windows in recent KEV history, reflecting the severity of confirmed active exploitation on shared hosting infrastructure.

Affected Versions

LiteSpeed released three patch versions in rapid succession (v2.4.5, v2.4.6/WHM 5.3.0.0, v2.4.7/WHM 5.3.1.0) after identifying additional related attack vectors during the security review triggered by the initial report.

Technical Details

The LiteSpeed user-end cPanel plugin exposes the lsws.redisAble function through cPanel's standard JSON-API interface, accessible to every authenticated cPanel user at:

GET /execute/LiteSpeed/redisAble

or as cpanel_jsonapi_func=redisAble via the cPanel UAPI.

This endpoint was designed as an administrative operation but contained no privilege check. Any cPanel account holder — including the most basic unprivileged shared-hosting customer — could invoke it to trigger arbitrary script execution with root-level permissions on the host server.

Attack requirements:

• A valid cPanel account on an affected server (achievable via credential compromise, a malicious hosting customer, or an XSS-escalated session)
• No elevated privileges — standard unprivileged accounts are sufficient
• Single HTTP request

One compromised shared-hosting account grants full root access to the entire physical or virtual host server, affecting all co-hosted customers and their data.

Root cause (CWE-266 — Incorrect Privilege Assignment): The API endpoint delegated to a privileged execution path without any authorization check, violating the principle of least privilege at the cPanel API layer.

Discovery

Security researcher David Strydom reported the vulnerability on May 19, 2026. LiteSpeed confirmed that active exploitation was already occurring at the time of the report, making this a zero-day at point of disclosure.

Exploitation Context

Actively exploited in the wild as a zero-day before the patch was available. LiteSpeed confirmed exploitation prior to disclosure. cPanel/WebPros responded immediately by automatically removing the plugin from affected servers via the standard cPanel update mechanism on May 19, 2026 as an emergency measure. CISA's three-day KEV remediation deadline (May 26 → May 29) is among the shortest on record, reflecting the ease of exploitation and the impact of root compromise on shared multi-tenant infrastructure.

Detection — check for exploitation attempts in cPanel logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Remediation

1. Update immediately — install LiteSpeed User-End cPanel Plugin v2.4.7 and WHM Plugin v5.3.1.0 or later from the LiteSpeed repository.
2. Emergency uninstall (if patching is not immediately possible):

   /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
   

3. Check for exploitation — search cPanel access logs for invocations of the redisAble endpoint from non-administrative users:

   grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
   

4. Audit server integrity — if exploitation is suspected, perform a full server audit before trusting any system state. Root-level compromise may have persisted backdoors, created additional accounts, or exfiltrated hosted customer data.
5. Review all cPanel user access logs for unusual activity during the exposure window (before May 19, 2026).
6. Notify hosted customers if exploitation is confirmed on your infrastructure, as all co-hosted accounts and data must be considered compromised.