LiteSpeed cPanel Plugin Zero-Day Exploited for Full Server Root Access.

A critical zero-day privilege-escalation vulnerability in the LiteSpeed User-End cPanel plugin is being actively exploited. Tracked as CVE-2026-48172 with a maximum CVSS score of 10.0, the flaw enables any authenticated cPanel user to execute arbitrary scripts as root.

This vulnerability prompted emergency response measures, including cPanel forcing a fleet-wide uninstall five hours before its scheduled Technical Security Release window. A comprehensive patch was officially released on May 21, 2026.

The root cause of CVE-2026-48172 stems from a logic flaw within the plugin’s lsws.redisAble JSON-API endpoint.

This specific endpoint is exposed to every logged-in cPanel user by default, vastly expanding the attack surface. Exploitation is dangerously straightforward, requiring no authentication gap to bridge or race condition to win.

LiteSpeed cPanel Plugin Zero-Day Exploited

An attacker only needs to send a single malformed API call containing specific parameter values to escalate their privileges to root access.

This bug poses a catastrophic threat to shared-hosting environments where hundreds of tenants hold valid cPanel sessions on a single server.

Any low-privileged user or a threat actor who has compromised a basic tenant account can easily exploit this vulnerability to gain complete server control.

The LiteSpeed User-End plugin is widely deployed across hosting fleets for its caching features, putting millions of shared-hosting servers worldwide at risk.

Successful exploitation enables severe system compromises, including widespread data exfiltration, the installation of persistent backdoors, and lateral movement across networks.

Initial security advisories indicated that the LiteSpeed WHM plugin was unaffected by this logic flaw. However, a comprehensive security review completed on May 21 revealed additional potential vulnerabilities in both the cPanel and WHM plugins.

LiteSpeed and the cPanel/WebPros team proactively patched these newly discovered vectors, though none have been observed in active exploitation.

This incident falls within a high-threat period for hosting infrastructure. The LiteSpeed advisory joins a streak of severe May 2026 vulnerabilities spanning 22 days, featuring eight distinct advisory events across the cPanel ecosystem.

Active exploitation attempts leave a detectable footprint within cPanel’s access logs. According to Litespeed advisory, server administrators must immediately scan for suspicious API activity to determine if their environments have been breached.

• Run the following command to detect exploitation attempts: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
• Treat the host as fully compromised if the command generates any output.
• Rotate all credentials immediately, prioritizing root passwords and SSH keys.
• Audit all system cron jobs and authorized_keys files to identify unauthorized additions or persistence mechanisms.

Mitigation

Administrators must prioritize securing their infrastructure by applying the latest patches or removing the vulnerable components entirely.

• Upgrade immediately to LiteSpeed WHM Plugin v5.3.1.0, which includes the patched cPanel Plugin v2.4.7.
• Force a full cPanel update by executing: /scripts/upcp --force
• Uninstall the vulnerable plugin without upgrading by running: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post LiteSpeed cPanel Plugin Zero-Day Exploited for Full Server Root Access. appeared first on Cyber Security News.