Blog
CVE-2026-48172: Critical Privilege Escalation in LiteSpeed cPanel Plugin
Table of Contents
Quick summary
Looking for affordable server licenses? SharedLicense offers cPanel, DirectAdmin, LiteSpeed, CloudLinux, and Windows licenses at wholesale prices with instant delivery.
Browse licenses →CVE-2026-48172 – LiteSpeed cPanel Plugin Privilege Escalation
Critical vulnerability allowing root‑level command execution via the lsws.redisAble function – actively exploited in the wild.
CVE-2026-48172 is a critical privilege‑escalation vulnerability in the LiteSpeed User‑End cPanel Plugin. An attacker with access to a cPanel account can exploit the lsws.redisAble function to execute commands as root, and the flaw is being actively exploited in the wild. Affected versions are primarily 2.3 – 2.4.4. (LiteSpeed Blog)
Immediate Countermeasures
1. Patch Immediately (Highest Priority)
Upgrade to:
- LiteSpeed User‑End cPanel Plugin 2.4.7 or later
- LiteSpeed WHM Plugin 5.3.1.0 or later (includes the fixed user‑end plugin)
⚠️ If patching is impossible, remove/uninstall the vulnerable user‑end plugin until maintenance can be performed. (SecurityWeek)
2. Check for Exploitation Attempts
Run:
grep -rE "cpanel_jsonapi_func=redisAble" \ /var/cpanel/logs \ /usr/local/cpanel/logs/ 2>/dev/null
- No output → no known exploitation evidence.
- Output present → investigate the source IPs and review activity around those timestamps. (LiteSpeed Blog)
3. Review for Post‑Exploitation Activity
Because successful exploitation can lead to root access:
Need the best price on server licenses?
Get cPanel, DirectAdmin, LiteSpeed & more with instant delivery and 24/7 support.
- Check
/var/log/secureand/var/log/auth.log - Review new users:
cat /etc/passwd
- Review sudoers:
ls -la /etc/sudoers.d/
- Check recent cron jobs:
crontab -l ls -la /etc/cron*
- Look for suspicious processes:
ps auxf
- Search for recently modified files:
find / -mtime -7 -type f 2>/dev/null
4. Block Suspicious IPs
If the log search identifies unauthorized IPs:
iptables -A INPUT -s <IP> -j DROP
or add them to your firewall/WAF blocklists. LiteSpeed specifically recommends reviewing and blocking suspicious IPs found in the exploitation logs. (LiteSpeed Blog)
5. Harden cPanel Access
- Enable MFA for all cPanel and WHM accounts.
- Disable unused cPanel accounts.
- Enforce strong passwords.
- Restrict WHM/cPanel access by IP where possible.
- Monitor login failures and successful logins from unusual locations.
6. Monitor for Persistence
Since attackers may have obtained root:
- Check SSH authorized keys:
find /home -name authorized_keys
- Look for web shells:
find /home -type f \( -name "*.php" -o -name "*.phtml" \) -mtime -7
- Run file integrity monitoring (AIDE, OSSEC, Wazuh, etc.).
7. Shared Hosting Providers
⚠️ This vulnerability is especially dangerous in multi‑tenant environments because one compromised cPanel account can become a full server compromise.
Consider:
- Account isolation (CloudLinux / CageFS)
- Enhanced logging
- EDR / IDS deployment
- Immediate credential rotation after remediation (CyCognito)
Incident Response Recommendation
If your server was running LiteSpeed User‑End cPanel Plugin 2.3–2.4.4 and the log search returns hits, assume possible root compromise and perform:
- Patch immediately.
- Investigate indicators of compromise.
- Rotate credentials (root, WHM, cPanel, database, API keys).
- Rebuild from a known‑good backup if compromise is confirmed. (LiteSpeed Blog)
💡 Need more specific guidance? If you tell me your environment (shared hosting, VPS, dedicated server, CloudLinux, AlmaLinux/CentOS version, LiteSpeed version), I can provide a more detailed hardening checklist.
