LiteSpeed warns cPanel plugin CVE-2026-48172

LiteSpeed said on May 21 that a critical privilege-escalation flaw in its user-end cPanel plugin is being actively exploited and can let any cPanel user run arbitrary scripts as root. The company assigned the issue CVE-2026-48172 and said affected versions span 2.3 through 2.4.4. LiteSpeed credited security researcher David Strydom with reporting the bug and said its WHM plugin was not itself affected. The company urged customers to upgrade to LiteSpeed WHM Plugin v5.3.1.0, bundled with cPanel plugin v2.4.7, or remove the user-end plugin if they cannot patch immediately. ### Which LiteSpeed component is actually vulnerable? LiteSpeed’s May 21 advisory said the flaw is in the user-end plugin for cPanel, not in the WHM plugin on its own. The vulnerable code path involves the `lsws.redisAble` function, which LiteSpeed said could be abused by “any cPanel user (including an attacker or a compromised account)” to execute arbitrary scripts as root. (blog.litespeedtech.com) The affected range is broad inside the current branch. LiteSpeed said versions 2.3 through 2.4.4 are exposed, while The Hacker News reported the issue carries a CVSS severity score of 10.0. ### Why are defenders treating this as urgent? LiteSpeed said the vulnerability “is being actively exploited,” which moves the issue from a patching advisory to an incident-response problem for hosting providers and server administrators. (blog.litespeedtech.com) The company did not publish exploitation details in its advisory, but it did provide a log-hunting command tied to observed activity. The indicator LiteSpeed published is the parameter `cpanel_jsonapi_func=redisAble`. The company told users to search `/var/cpanel/logs` and `/usr/local/cpanel/logs` for that string and said no output from the command means the server has not been affected, while any output should be reviewed for suspicious IP addresses and follow-on activity. (blog.litespeedtech.com) ### What should administrators check first? LiteSpeed’s first check is simple: look for evidence that the vulnerable function was called. The command in the advisory searches cPanel log paths for the `cpanel_jsonapi_func=redisAble` string, which the company identified as an indicator of compromise. (blog.litespeedtech.com) If matches appear, LiteSpeed said administrators should examine the source IP addresses, decide whether they are legitimate, block the ones that are not, and then review system logs for actions taken by those IPs. That guidance suggests the vendor expects defenders to treat positive log hits as a starting point for broader forensic review, not as a complete damage assessment. (blog.litespeedtech.com) ### Which versions fix it, and why are there two patch numbers? LiteSpeed’s advisory said the original issue was patched in cPanel plugin v2.4.5, but the company later completed a broader security review and released cPanel plugin v2.4.7 together with WHM plugin v5.3.1.0. LiteSpeed said that review found and patched additional potential attack vectors in both plugins, while adding there were no reports those additional issues had been exploited. (blog.litespeedtech.com) The release log shows WHM plugin v5.3.1.0 bundled with cPanel plugin v2.4.7 on May 21, 2026. The same log lists multiple hardening and validation changes in both plugins, including caller-trust validation, structured argument passing, privilege dropping, token handling, deserialization hardening and user scoping for API calls. (blog.litespeedtech.com) ### What happened on the timeline? LiteSpeed said it was alerted to the original issue on May 19, 2026. The same day, cPanel pushed an uninstall command for the user-end plugin, and LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0. On May 20, LiteSpeed said it applied for a CVE, and on May 21 it completed a security review and released cPanel plugin v2.4.7 and WHM plugin v5.3.1.0. (litespeedtech.com) LiteSpeed’s download and release pages now point users to the updated plugin track, while the vendor’s advisory says customers that cannot patch immediately can remove the user-end plugin with `/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall`. The next concrete step for affected operators is to review cPanel logs for the published indicator and move to v2.4.7 with WHM plugin v5.3.1.0 or later. (blog.litespeedtech.com)