LiteSpeed cPanel plugin CVE-2026-48172 actively exploited for root takeover (CISA KEV)

A root-takeover bug in a widely deployed cPanel plugin is being actively exploited

LiteSpeed's User-End cPanel Plugin, deployed across a large share of shared hosting providers, has a privilege escalation flaw rated at the maximum CVSS 4.0 score of 10.0. The bug is tracked as CVE-2026-48172 and is currently being abused in the wild, according to LiteSpeed's own security advisory and CISA's Known Exploited Vulnerabilities (KEV) catalog.

What it allows is straightforward and severe. Any single cPanel user account on a shared hosting box — including an attacker's own paid tenancy or a customer account compromised through password reuse — can call the plugin's lsws.redisAble function and end up running arbitrary scripts as root. From there, every other site, mailbox, and database on the same physical server is reachable.

According to The Hacker News' reporting, observed payloads include Mirai botnet variants repurposed to run on Linux web hosts, and a ransomware strain that encrypts site data on impacted servers. Patched releases shipped on May 19 through May 21, 2026, with NVD publishing the record on May 26.

What the LiteSpeed cPanel plugin is, and where it runs

A quick map of where this bug sits, so you can decide whether it touches you.

cPanel is the de-facto control panel that most hosting providers hand to their customers. It is the web UI tenants use to create mailboxes, add databases, switch PHP versions, and so on. LiteSpeed Web Server is one of the most-deployed web servers on the planet — W3Techs tracking puts it in the high single-digit to low double-digit percent range of the top 10M websites, particularly popular for accelerating WordPress.

The vulnerable component, the LiteSpeed User-End cPanel Plugin, is the glue that exposes LiteSpeed features (Redis cache toggling, page-cache settings, image optimization) to tenants from inside cPanel. If a hosting provider has deployed cPanel + LiteSpeed together, this plugin is almost certainly present.

In practical terms, that means any WordPress-focused shared hosting brand, low-cost cPanel VPS image, or budget reseller that runs LiteSpeed for its speed boost is in scope. Custom in-house control panels — which most large Japanese hosts use — are not affected.

What's broken: an admin function that runs anyone's script as root

The technical defect is small and easy to state. From LiteSpeed's advisory:

lsws.redisAble is supposed to be a benign administrative helper for enabling Redis cache on a site. The implementation, however, mishandles privilege separation: instead of dropping to the caller's permissions, the helper runs the requested action with the server's root privileges. A feature designed to expose Redis toggling to tenants effectively became "a button that runs arbitrary commands as root."

In CWE terms this is CWE-266: Incorrect Privilege Assignment. Affected versions are LiteSpeed User-End cPanel Plugin v2.3 through v2.4.4. The fix landed in v2.4.5, with v2.4.7 (bundled with WHM Plugin v5.3.1.0) recommended as the current stable release.

How to check whether your server has already been hit (one command)

If you have root or sudo on the box, LiteSpeed publishes a one-line check against cPanel's request logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/

Every exploitation attempt traverses the JSON API endpoint cpanel_jsonapi_func=redisAble, so any hit is, by construction, a suspect request. Any non-empty result should be treated as a likely root-level compromise: validate the source IPs, block the malicious ones, and pivot to full incident response under the assumption the server was rooted. A clean result narrows the window but does not rule out earlier rotated-out activity, so apply the patch and tighten monitoring regardless.

Active exploitation: Mirai botnet variants and a ransomware strain in the wild

Per The Hacker News, the payloads observed dropped via CVE-2026-48172 fall into two buckets: Mirai-family botnet variants being repurposed to weaponize Linux hosting servers as DDoS launchpads, and a ransomware strain that encrypts hosted site data, databases, and backups in place.

No public proof-of-concept exploit code had been released as of this writing. As Cybersecurity News notes, "the technical simplicity of the vulnerability has enabled threat actors to develop private exploits rapidly." Read that as: there is no PoC because no PoC is necessary — operators are reimplementing the call from the advisory in a few lines.

Remediation: for server admins and for hosting tenants

The right action depends on which side of the wall you sit on.

▼ Hosting providers and VPS / dedicated server admins

Patch LiteSpeed User-End cPanel Plugin to v2.4.7 or later (shipped alongside WHM Plugin v5.3.1.0). Follow LiteSpeed's release log.

cPanel itself issued an emergency security update on May 19, 2026 that automatically uninstalls the vulnerable plugin on update. If your automatic cPanel updates are running, the plugin may already be gone; force the path explicitly to be sure:

# Force-apply cPanel updates (will pick up the auto-uninstall logic)
/scripts/upcp --force

# If patching is not yet possible, remove the plugin manually:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

After patching, run the grep check above on historical logs. If you see hits, work the incident as a confirmed root compromise — half-measures will not clean up an attacker who already owned the box.

▼ Shared hosting tenants

You cannot patch this yourself; the fix is your provider's responsibility. What you can do:

• Confirm whether your hosting provider uses cPanel + LiteSpeed. (If your control panel URL contains :2083 or cpanel, you are on cPanel.)
• Check your provider's status / security page for a CVE-2026-48172 advisory. If silence, open a support ticket and ask which plugin version they are running.
• Rotate every credential tied to that hosting account: cPanel password, WordPress admin, mailbox passwords, and any API keys stored on the server. Assume credential exposure if any other tenant on the same box was compromised.

Disclosure timeline: from researcher report to forced auto-uninstall

← Swipe to navigate

Why shared hosting makes this worse: one weak tenant can topple the whole box

What turns CVE-2026-48172 from "another LPE" into a hosting-industry crisis is the entry condition: the attacker only needs any single valid cPanel session. That can be the attacker's own cheap shared hosting account, or a victim tenant's account picked up via credential stuffing. Either way, the moment that single session exists, every other site on the same physical server is reachable.

Shared hosting's business model packs hundreds to thousands of tenants on one box, relying on OS-level permission separation to keep them apart. CVE-2026-48172 punches a hole through that separation by handing root to anyone who can call a JSON API endpoint. In effect: "another tenant on your server had a weak password" becomes "your site got rooted too."

This pushes the operational burden well past "apply patch." Hosting providers also need to think about tenant-wide disclosure, breach-notification timing, and the legal exposure that comes with a single-incident, many-victim posture.

CVSS 10, on CISA KEV, with botnet and ransomware payloads. There is no room to wait.

A CVSS 4.0 score of 10.0, a CISA Known Exploited Vulnerabilities listing, and confirmed in-the-wild deployment of Mirai variants and ransomware leave server administrators with no real deliberation window. Patch now.

If you're a tenant, the one action worth taking today is checking whether your hosting provider runs cPanel + LiteSpeed. If they do, look for their advisory, rotate your credentials, and verify your most recent off-server backup.

References

• ・NVD — CVE-2026-48172
• ・Security Update for LiteSpeed cPanel Plugin (LiteSpeed official blog)
• ・CISA Known Exploited Vulnerabilities Catalog
• ・LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root (The Hacker News)
• ・LiteSpeed cPanel Plugin 0-Day Exploited in the Wild to Gain Server Root Access (Cybersecurity News)
• ・LiteSpeed User-End cPanel Plugin Privilege Escalation (Gotekky Security)
• ・LiteSpeed cPanel Support (official)
• ・CWE-266: Incorrect Privilege Assignment