critical Threat analysis

LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation

CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.

Published: 2026-05-27
Read time: 6 min read
Sources: 5

On this page 0% read

Executive Summary

CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-26 with a 2026-05-29 remediation due date CISA KEV. The vulnerability is a critical privilege escalation flaw in the LiteSpeed User-End cPanel Plugin: any cPanel user account can abuse lsws.redisAble to execute arbitrary scripts as root LiteSpeed NVD.

NVD now records the exact vendor advisory and release-log references, lists vulnerable LiteSpeed cPanel Plugin versions up to but excluding 2.4.7, and includes the vendor-recommended log sweep for cpanel_jsonapi_func=redisAble under /var/cpanel/logs and /usr/local/cpanel/logs NVD. This post details the technical mechanics, impact boundaries, and an automated Python triage script to parse server logs for active exploitation traces.

Key Facts

cve: "CVE-2026-48172"
vendor: "LiteSpeed Technologies"
product: "User-End cPanel Plugin"
unaffected_products: ["LiteSpeed WHM Plugin"]
kev_added: "2026-05-26"
vulnerability: "Incorrect privilege assignment in lsws.redisAble JSON API function"
cwe: ["CWE-266", "CWE-269"]
affected_versions: ["2.3 <= LiteSpeed cPanel Plugin < 2.4.7", "LiteSpeed WHM Plugin < 5.3.1.0 may bundle an affected cPanel plugin"]
fixed_versions: ["LiteSpeed WHM Plugin >= 5.3.1.0 (includes cPanel Plugin 2.4.7)"]
nvd_cvss_v31: "8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
exploitation_status: "cisa_kev_exploited"
zero_day_status: "confirmed_zero_day_exploitation"

Source Confidence & Evidence Mapping

confirmed: CISA KEV lists CVE-2026-48172 as actively exploited, requiring federal agency remediation CISA KEV.
confirmed: LiteSpeed’s vendor advisory maps the vulnerability to lsws.redisAble in the User-End cPanel plugin, says the WHM plugin itself is not affected, and instructs operators to update to WHM Plugin 5.3.1.0 / cPanel Plugin 2.4.7 LiteSpeed.
confirmed: NVD lists affected CPEs up to but excluding cPanel Plugin 2.4.7 and WHM Plugin 5.3.1.0, references the LiteSpeed advisory and release log, and includes the vendor log-check command NVD.
confirmed: The Hacker News independently reported LiteSpeed’s active-exploitation statement and credited David Strydom for discovery/reporting The Hacker News.

Impact Determination

Classification	Criteria	Required evidence	Remediation trigger	Closure condition
Confirmed compromise	System audit logs or cPanel access logs contain references to `cpanel_jsonapi_func=redisAble`, accompanied by unexpected system privilege escalations or root-level binary modifications.	Logs showing `redisAble` execution queries and corresponding root process generation in `/var/log/secure` or `/var/cpanel/logs`.	Isolate the host, terminate active SSH sessions, and run rootkit audits.	Uninstall the plugin or apply the WHM patch, and rotate all server-level passwords and keys.
Presumed exposed	The cPanel server runs LiteSpeed User-End cPanel Plugin versions between `2.3` and `2.4.4`, and local user access is active.	Software version detection (`version` file inside `/usr/local/lsws/`) mapping to the affected range.	Restrict cPanel user permissions or temporarily uninstall the user-end plugin.	Upgrade the WHM package to `5.3.1.0` or higher to deploy the patched cPanel plugin `2.4.7`.
Potentially exposed	A web server utilizes LiteSpeed web server technology, but the installation status of the cPanel user plugin is unverified.	Service inventory identifying LiteSpeed Web Server without configuration auditing.	Run the Python plugin audit script.	Confirm if the system is presumed exposed, confirmed compromised, or not exposed.
Not exposed	The User-End cPanel plugin is completely uninstalled, or is verified running version `>= 2.4.7`.	Negative plugin inventory matching, or verified patched software version.	None for this CVE.	Version audit report is compiled and archived.

Timeline

2026-05-19: LiteSpeed credits David Strydom with reporting the issue LiteSpeed.
2026-05-21: LiteSpeed publishes the security update for the cPanel plugin and directs operators to update to WHM Plugin 5.3.1.0 / cPanel Plugin 2.4.7 LiteSpeed.
2026-05-23: Public reporting repeats LiteSpeed’s active-exploitation warning and affected version range The Hacker News.
2026-05-26: CISA adds CVE-2026-48172 to the KEV catalog with due date 2026-05-29 CISA KEV.

What Happened

The User-End cPanel plugin helps individual cPanel users manage LiteSpeed cache settings and cache utilities like Redis. However, the JSON API handler lsws.redisAble did not correctly validate user boundaries before executing system-level actions. A low-privileged cPanel user could pass crafted scripts to this API, which was executed by the high-privileged background manager, instantly escalating their permissions to root.

Technical Analysis

The primary flaw lies inside the privilege boundaries of the Captive cPanel script hooks. Because the background API helper executes with root context to manage system services, the lack of input sanitization in the redisAble routine allowed command injection.

Affected Assets and Blast Radius

asset_selectors:
  - "lsws"
  - "LiteSpeed Web Server"
  - "cPanel Plugin"
highest_value_assets:
  - "Shared hosting servers running cPanel with LiteSpeed enabled"
  - "Root administrative accounts and server credentials"
credentials_and_data_at_risk:
  - "Root user hashes and system shadow files"
  - "cPanel user databases and databases of all hosted clients"
  - "SSL certificates and server private keys"

Indicators And Detection Selectors

vulnerabilities: ["CVE-2026-48172"]
telemetry_selectors:
  - "cpanel_jsonapi_func=redisAble"
  - "redisAble"
  - "lsws.redisAble"

Detection and Hunting

This hunting script audits local server directories to identify the installed version of the LiteSpeed cPanel plugin and parses system/cPanel log exports for indicators of active redisAble privilege escalation exploitation:

#!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path

ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
TELEMETRY_DIR = Path(os.environ.get("TELEMETRY_DIR", "telemetry-export")).resolve()
OUT = Path(os.environ.get("OUT", "hp-litespeed-cve-2026-48172-scope")).resolve()

CVE = "CVE-2026-48172"
FIXED_VERSION = "2.4.7"

def read_text(path):
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except Exception:
        return ""

def is_vulnerable_version(ver_str):
    ver = re.findall(r"\d+", ver_str)
    if not ver:
        return False
    v_ints = tuple(int(x) for x in ver[:3])
    # Vulnerable: 2.3.0 <= ver <= 2.4.4
    if (2, 3, 0) <= v_ints <= (2, 4, 4):
        return True
    return False

OUT.mkdir(parents=True, exist_ok=True)
findings = {
    "exposed_plugins": [],
    "exploit_logs": []
}

# 1. Audit LiteSpeed Plugin Version Files
# Typically located in /usr/local/lsws/admin/html/cpanel/ or package manifests
for ver_file in ROOT.rglob("*"):
    if ver_file.name == "version" and "cpanel" in str(ver_file).lower():
        version_str = read_text(ver_file).strip()
        if is_vulnerable_version(version_str):
            findings["exposed_plugins"].append({
                "file": str(ver_file),
                "plugin": "LiteSpeed cPanel User Plugin",
                "version_found": version_str,
                "vulnerable": True,
                "remediation": "Upgrade WHM Plugin to 5.3.1.0+ or uninstall the User cPanel plugin"
            })

# 2. Audit cPanel Logs for "redisAble" API Exploitation
# Standard paths: /var/cpanel/logs/access_log or /usr/local/cpanel/logs/error_log
for path in ROOT.rglob("*"):
    if not path.is_file() or any(part in {".git", "node_modules"} for part in path.parts):
        continue
    
    if path.suffix in {".log", ".txt", ".json"}:
        body = read_text(path)
        # Search for the exact API exploit signature
        exploit_match = re.search(r"cpanel_jsonapi_func=redisAble|lsws\.redisAble", body, re.IGNORECASE)
        
        if exploit_match:
            findings["exploit_logs"].append({
                "file": str(path),
                "indicator": "LiteSpeed Captive API redisAble Injection Attempt",
                "matched_text": exploit_match.group(0),
                "context_snippet": body[max(0, exploit_match.start() - 80):min(len(body), exploit_match.end() + 80)].replace("\n", " ")
            })

with open(OUT / "findings.json", "w") as f:
    json.dump(findings, f, indent=2)

print(f"[{CVE} Audit Complete] Findings saved to: {OUT / 'findings.json'}")

Remediation & Credential Rotation Plan

Containment

If immediate patching is not possible, uninstall the User-End cPanel Plugin immediately to close the pre-authenticated API surface:

Command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
This completely removes the vulnerable user-end integration while leaving the core WHM manager intact.

Eradication & Recovery

Apply Software Upgrades: Upgrade the primary WHM integration to version 5.3.1.0 or higher, which deploys the patched user cPanel plugin version 2.4.7 automatically.
Audit Administrative Accounts: Review all local system users and verify that no unauthorized SSH keys or root users have been added to /etc/passwd or /root/.ssh/authorized_keys.
Rotate Secrets: If the redisAble signature is found in server logs, treat the machine as fully compromised. Rotate all host private keys, local user passwords, and database access credentials immediately.