By rssfeeds-admin LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers.
The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5.
0‑Day in LiteSpeed cPanel Plugin Enables Root
According to LiteSpeed’s advisory, the issue resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
Because exploitation only requires access to a valid cPanel user, a malicious tenant or an already-compromised shared hosting account can pivot to full server takeover.
LiteSpeed confirms the vulnerability has been exploited in the wild, making it a true 0‑day at the time of discovery.
The flaw impacts all deployments running the vulnerable user-end plugin between versions v2.3 and v2.4.4, while the WHM plugin itself is not directly affected. LiteSpeed has issued a fix in cPanel plugin v2.4.5 and later bundled releases, and operators are urged to move to the latest builds without delay.
Detection and Immediate Mitigations
Administrators can quickly check for exploit attempts by searching cPanel logs for calls to the vulnerable function:
bashgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullIf the command returns no results, there is currently no evidence of exploitation on that server; any hits should be investigated by validating the source IPs, blocking suspicious addresses, and reviewing system logs for post-compromise activity.
For those unable to patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as a containment measure:
bash/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallLiteSpeed strongly advises upgrading to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7) or higher, which includes the fix for CVE‑2026‑48172 and additional hardening from a broader security review.
In parallel, cPanel has pushed an automated removal of the vulnerable plugin via its May 19, 2026, security update, and instructs customers to force an update with:
bash/scripts/upcp --forceFollowing the initial report from security researcher David Strydom on May 19, 2026, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.
LiteSpeed released cPanel plugin v2.4.6 and WHM plugin v5.3.0.0 on the same day, applied for CVE‑2026‑48172 on May 20, and completed a full security review, shipping cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 on May 21.
While additional issues were discovered and patched during this review, there are no current reports of those secondary vulnerabilities being exploited in the wild.
For hosting providers and server administrators, the guidance is clear: assume potential compromise on unpatched systems, update both cPanel and LiteSpeed components immediately, and review logs for suspicious activity originating from cPanel user contexts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.