Overview
CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw is a maximum-severity privilege escalation vulnerability (CVSS v4.0: 10.0) residing in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4, classified under CWE-266 (Incorrect Privilege Assignment), stemming from improper handling of Redis on/off features exposed via the plugin’s JSON API.
CISA added the CVE to the KEV catalog on May 26, 2026, and mandated remediation by May 29, 2026 under Binding Operational Directive 22-01.
Vulnerability Details
- CVE: CVE-2026-48172
- CVSS: 10.0 (v4.0) / 9.8 (v3.x)
- CWE: CWE-266 — Incorrect Privilege Assignment
- Affected Versions: LiteSpeed User-End cPanel Plugin 2.3 through 2.4.4
- Not Affected: LiteSpeed WHM plugin
Root Cause & Exploitation Mechanics
The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default. There is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root.
Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server. This type of flaw is particularly dangerous in multi-tenant hosting environments, where multiple users operate on the same system — even a low-privileged or compromised account becomes a launch point for a full system takeover.
Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.”
The vulnerability also prompted emergency response from cPanel itself, which forced a fleet-wide uninstall five hours before its scheduled Technical Security Release window.
IOC Detection
Run the LiteSpeed-provided IOC check:grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/
Investigate any matching log entries for unfamiliar source IPs and block them at the perimeter. Audit recently created user accounts and any files with elevated permissions on affected servers. Restrict access to cPanel and WHM interfaces by source IP where the customer model allows.
Remediation
The issue has been addressed in version 2.4.5. Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher.
If immediate patching is not an option, remove the user-end plugin using:/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Given confirmed in-the-wild exploitation and CISA KEV listing, defenders should verify the running plugin version directly on each host rather than rely on inventory records — hosted environments and shared infrastructure are particularly likely to have version drift between what the inventory shows and what is actually deployed.
Very nice.