Exploit code and IOCs for cPanel flaw posted — IOC includes cpanel_jsonapi_func=redisAble

LiteSpeed’s cPanel plugin flaw moved from vendor advisory to public exploitation chatter over the May 24-25 weekend, as researchers and security accounts posted proof-of-concept snippets and log-based indicators of compromise tied to CVE-2026-48172. LiteSpeed said the bug lets any authenticated cPanel user abuse the `lsws.redisAble` function to execute arbitrary scripts as root, and The Hacker News and other security outlets amplified the warning in posts and write-ups over the same period. The IOC repeated across those posts is the string `cpanel_jsonapi_func=redisAble`, which LiteSpeed and third-party trackers say defenders can search for in cPanel logs. ### Which product is affected, and what does the bug do? CVE-2026-48172 affects the LiteSpeed User-End cPanel Plugin, not the standalone WHM plugin by itself, according to LiteSpeed and The Hacker News. LiteSpeed said the issue is an incorrect privilege assignment flaw in `lsws.redisAble` that can let “any cPanel user” execute arbitrary scripts with root privileges. The affected range is plugin versions 2.3 through 2.4.4, according to the vendor’s release material and third-party CVE trackers. (thehackernews.com) The Hacker News reported the flaw was under active exploitation in the wild, citing LiteSpeed’s advisory. Tenable’s CVE entry also describes the issue as exploited in May 2026 and points defenders to the same log-based detection pattern. ### Why is `cpanel_jsonapi_func=redisAble` showing up in IOC posts? Tenable and OpenCVE both say detection centers on searching cPanel logs for `cpanel_jsonapi_func=redisAble`. (thehackernews.com) That string maps to requests invoking the Redis enable/disable path tied to the vulnerable `lsws.redisAble` function, which is why it has become the shorthand IOC repeated in security posts and follow-on blog coverage. LiteSpeed’s own documentation and advisory connect the flaw to Redis-related functionality in the user-end plugin. The vendor’s release log says Redis features were disabled in v2.4.5 and then reintroduced with additional hardening in later releases, which aligns with the focus on `redisAble` in public exploit snippets and detections. (tenable.com) ### What did LiteSpeed say it changed, and when? LiteSpeed’s May 21 security update lays out a short timeline. The company said it was alerted on May 19, that cPanel pushed an uninstall command for the user-end plugin the same day, that LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on May 19, applied for a CVE on May 20, and then completed a broader security review and released cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21. (litespeedtech.com) LiteSpeed’s release log says v2.4.6 and the bundled WHM plugin release reintroduced Redis features with additional hardening after they had been disabled in v2.4.5. The May 21 blog post says v2.4.7 and v5.3.1.0 followed a security review. ### What should defenders check right now? Tenable’s CVE page and follow-on security write-ups point to a simple first-pass check: grep cPanel logs for `cpanel_jsonapi_func=redisAble`. (blog.litespeedtech.com) Tenable gives the command as `grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null`, and GridinSoft repeats that guidance while directing users to update to WHM plugin v5.3.1.0 or later so the bundled user-end plugin reaches v2.4.7. (litespeedtech.com) The vendor’s stated fix path is to move off affected versions. LiteSpeed’s May 21 post says the current patched releases are cPanel plugin v2.4.7 and WHM plugin v5.3.1.0. ### Where does this go next? LiteSpeed’s next concrete milestone is patch adoption across hosting environments still running user-end plugin versions 2.3 through 2.4.4. (tenable.com) Administrators can track current package versions through LiteSpeed’s release log and download pages, while incident responders can use the vendor-backed log check to review historical cPanel activity for `cpanel_jsonapi_func=redisAble`. (litespeedtech.com) (blog.litespeedtech.com)