LiteSpeed cPanel plugin zero-day exploited to gain root access on hosting servers

A critical LiteSpeed cPanel plugin vulnerability has been exploited in the wild to gain elevated access on Linux hosting servers. The flaw, tracked as CVE-2026-48172, affects the LiteSpeed User-End cPanel Plugin and can allow a cPanel user account to execute scripts with root-level privileges.

The NVD record for CVE-2026-48172 says LiteSpeed User-End cPanel Plugin versions before 2.4.5 allow privilege escalation, possibly to root, and confirms exploitation in May 2026.

The issue is especially serious for shared hosting providers. An attacker does not need full server access at the start. A malicious tenant, reseller account, or compromised cPanel user account may be enough to begin the escalation path.

The flaw sits in the user-end cPanel plugin

The vulnerability affects the user-facing LiteSpeed cPanel plugin, not the parent LiteSpeed WHM plugin itself. The vulnerable component exposes the lsws.redisAble function, which attackers can abuse through cPanel API calls.

The Hacker News reported that LiteSpeed described the bug as an incorrect privilege assignment issue that allows any cPanel user, including a compromised account, to run arbitrary scripts as root.

That makes the bug a hosting-provider emergency. Shared servers often contain hundreds of accounts, multiple websites, databases, email accounts, backups, SSL material, and customer files. Root access can put all of them at risk.

Item	Details
CVE	CVE-2026-48172
Affected software	LiteSpeed User-End cPanel Plugin
Affected versions	2.3 through 2.4.4
Fixed version	2.4.5 or later, with newer bundled releases recommended
Impacted function	lsws.redisAble
Main risk	Privilege escalation to root from a cPanel user context
Exploit status	Exploited in the wild

Why root access changes the impact

Root access gives attackers control over the whole server. On a cPanel hosting machine, that can include website files, databases, configuration files, mailboxes, cron jobs, SSH keys, backup paths, and other customer data.

Attackers can also use root access to install persistence, add backdoor accounts, change web server configuration, deploy webshells, dump credentials, disable security tools, or pivot into other infrastructure tied to the hosting provider.

For hosting companies, the business impact can extend beyond one compromised account. A single exploited shared server can create customer data exposure, mass defacement, malware hosting, spam delivery, credential theft, and reputational damage.

cPanel removed the vulnerable plugin automatically

cPanel responded by removing the vulnerable LiteSpeed cPanel Plugin during its nightly update process. The cPanel support notice says a security vulnerability in the LiteSpeed-provided plugin allowed unauthorized root access to the server.

The same notice clarifies that only the cPanel Plugin should be disabled or removed as part of the emergency action. Administrators should still verify their own systems rather than assuming every server updated successfully.

Servers with blocked updates, custom update windows, broken package states, pinned versions, or disabled nightly maintenance may still need manual review. Managed hosting providers should also check customer-owned servers where automated updates may not follow the provider’s default policy.

How administrators can check for exploit attempts

The fastest initial detection step is to search cPanel logs for calls to the vulnerable redisAble function. A clean search result does not prove the server is safe from every possible compromise, but it can show whether this known exploit path appears in the available logs.

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

The CVE-2026-48172 entry recommends this command and says that no output means there is currently no evidence of exploitation through that logged pattern. If the command returns results, administrators should examine the source IP addresses and block suspicious ones.

Any positive result should trigger a wider incident response review. Attackers who gained root may have already changed files, added accounts, installed malware, altered scheduled tasks, or accessed customer data.

What to review after a positive hit

Administrators should not stop after blocking an IP address. Root-level exploitation can leave artifacts outside the original plugin logs, and attackers may remove or rotate their tools after gaining access.

• Review cPanel, Apache, LiteSpeed, SSH, sudo, and authentication logs.
• Check for new or modified root-level cron jobs.
• Inspect /etc/passwd, /etc/shadow, sudoers files, and SSH authorized_keys.
• Search customer web roots for recent PHP webshells or suspicious scripts.
• Review recent changes to LiteSpeed, Apache, PHP, and cPanel configuration.
• Check outbound connections to unfamiliar IP addresses and domains.
• Rotate credentials if exploitation appears likely.

Patch versions and recommended upgrades

LiteSpeed fixed the issue in cPanel plugin version 2.4.5. Later releases added more hardening after a broader review, with WHM Plugin 5.3.1.0 bundling cPanel plugin 2.4.7.

The Hacker News reported that LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on May 19, then followed with cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21 after further review.

Hosting providers should move to the newest available LiteSpeed WHM and cPanel plugin versions rather than stopping at the first fixed build. They should also confirm the user-end plugin version directly on each server.

Component	Action	Reason
LiteSpeed User-End cPanel Plugin	Upgrade to 2.4.5 or later	Closes the CVE-2026-48172 privilege escalation flaw
LiteSpeed WHM Plugin	Upgrade to 5.3.1.0 or later where available	Includes cPanel plugin 2.4.7 and extra hardening
cPanel update system	Force an update if nightly maintenance did not run	Ensures cPanel’s emergency removal and fixes apply
Vulnerable plugin on unpatched hosts	Remove the user-end plugin if patching must wait	Reduces immediate exposure

How to force the cPanel update

cPanel tells customers to force an update if the automatic update did not remove the vulnerable plugin or if they need to confirm the emergency action manually.

/scripts/upcp --force

The cPanel advisory says the update process was used to remove the vulnerable plugin. Administrators should still check the result, confirm the plugin state, and review logs afterward.

For servers that cannot update immediately, removing the LiteSpeed user-end plugin can reduce risk while administrators prepare a proper upgrade window. That containment step should not replace full patching and investigation.

Why shared hosting makes this worse

Shared hosting environments increase the blast radius because many users operate on the same server. If any one account becomes malicious or compromised, it may provide the foothold needed to exploit the plugin.

That threat model is different from a bug that requires WHM root credentials. CVE-2026-48172 starts from a lower-trust cPanel user context and can end with control of the whole machine.

Providers should treat this as a cross-tenant isolation issue. A compromised website owner account should never be able to become root, but this flaw breaks that boundary in vulnerable versions.

Immediate response checklist for hosting providers

Administrators should act in three phases: patch or remove the plugin, check for exploitation, then perform deeper compromise review on any server with suspicious findings.

• Identify every server running LiteSpeed with cPanel.
• Confirm the LiteSpeed User-End cPanel Plugin version.
• Upgrade to a fixed release or remove the user-end plugin immediately.
• Run the redisAble log search across cPanel log paths.
• Investigate any source IP addresses found in the logs.
• Review root-level changes, cron jobs, user accounts, and SSH keys.
• Search hosted sites for webshells and unauthorized file changes.
• Rotate root, WHM, reseller, cPanel, database, and SSH credentials where compromise is suspected.
• Notify affected customers if evidence shows unauthorized access to their data.

What customer-site owners should ask their host

Website owners on shared hosting usually cannot patch the LiteSpeed cPanel plugin themselves. They should ask their hosting provider whether their server ran a vulnerable plugin version and whether exploit checks found any redisAble activity.

Customers should also ask whether the host reviewed web files, databases, email accounts, cron jobs, and FTP or SSH users after patching. If the host confirms suspicious activity, site owners should rotate CMS admin passwords, database passwords, FTP passwords, email passwords, and API keys.

For WordPress, Joomla, Magento, Laravel, and other hosted applications, site owners should also check for new administrator accounts, recently changed files, unknown plugins, and unexpected outbound connections from their application.

Why this bug deserves urgent attention

Control-panel plugins are high-value targets because they sit between customers and privileged server functions. When a plugin mishandles privileges, attackers may turn ordinary user access into full server control.

This is why CVE-2026-48172 needs both patching and investigation. Updating the plugin closes the known hole, but it does not automatically remove anything an attacker may have created while the server was vulnerable.

The safest response is to assume exposed vulnerable servers may have been targeted, apply the fixed versions, run the recommended log checks, and investigate any sign of exploitation as a potential root compromise.

FAQ