A critical zero-day privilege escalation vulnerability in the LiteSpeed User-End cPanel plugin is being actively exploited in the wild, enabling any authenticated cPanel user to execute arbitrary scripts as root and gain full server control.
Tracked as CVE-2026-48172 with a maximum CVSS score of 10.0, the flaw has been patched as of May 21, 2026.
The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default.
LiteSpeed cPanel Plugin 0-Day Exploited
There is no race condition to win, nor an authentication gap to bridge; a single malformed API call with the right parameter values is sufficient for the attacker to escalate to root. The bug is particularly dangerous on shared-hosting environments where every tenant already holds a valid cPanel session.
Notably, the initial advisory stated that LiteSpeed’s WHM plugin was not affected. Still, a follow-up on May 21 revised that position; a full security review uncovered additional potential vulnerabilities in both plugins, though these have not been reported as exploited.
Any cPanel account, including a low-privileged user or an attacker with a compromised tenant account, can exploit the flaw to gain root-level access, enabling complete system compromise, data exfiltration, backdoor installation, and lateral movement.
The attack surface is broad: cPanel powers millions of shared-hosting servers globally, and the LiteSpeed User-End plugin has been widely deployed across hosting fleets due to its caching features.
The attack leaves a detectable footprint in cPanel’s access logs. According to Litespeed advisory, server administrators should immediately run the following IOC detection command:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullAny output indicates a potential attempt at exploitation. If output is found, treat the host as compromised, rotate all credentials, including root passwords and SSH keys, and audit cron jobs and authorized_keys for unauthorized additions.
cPanel’s decision to force a fleet-wide uninstall five hours before its scheduled TSR window underscores the severity of real-time exploitation.
The LiteSpeed advisory is part of a broader May 2026 vulnerability streak that spans 22 days and includes eight advisory events across the cPanel ecosystem, including the critical pre-auth bypass CVE-2026-41940 (CVSS 9.8).
Mitigation
Administrators should immediately upgrade to the LiteSpeed WHM Plugin v5.3.1.0, which is bundled with the cPanel Plugin v2.4.7. To force a full cPanel update, run:
/scripts/upcp --forceTo immediately remove the vulnerable plugin without upgrading, use:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallLiteSpeed also completed a broader security review in coordination with the cPanel/WebPros team, proactively patching additional potential attack vectors, none of which have been reported as exploited.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
