Top/Articles/LiteSpeed cPanel plugin CVE-2026-48172 actively exploited for root takeover (CISA KEV)
litespeed-cpanel-plugin-cve-2026-48172-kev-cover-en

LiteSpeed cPanel plugin CVE-2026-48172 actively exploited for root takeover (CISA KEV)

CVE-2026-48172, a CVSS 10 privilege escalation flaw in the LiteSpeed User-End cPanel plugin, is being actively exploited in 2026. Any cPanel user (including a compromised tenant on shared hosting) can run arbitrary scripts as root. CISA added it to the Known Exploited Vulnerabilities catalog. Mirai botnet variants and a ransomware strain are reportedly being dropped via the bug. Patch to plugin v2.4.7 or WHM plugin v5.3.1.0 immediately.

NewsPublished May 27, 2026Last updated May 28, 2026
Table of contents
Key takeaways

CVE-2026-48172, a CVSS 10 privilege escalation flaw in the LiteSpeed User-End cPanel plugin, is being actively exploited in 2026. Any cPanel user (including a compromised tenant on shared hosting) can run arbitrary scripts as root. CISA added it to the Known Exploited Vulnerabilities catalog. Mirai botnet variants and a ransomware strain are reportedly being dropped via the bug. Patch to plugin v2.4.7 or WHM plugin v5.3.1.0 immediately.

A root-takeover bug in a widely deployed cPanel plugin is being actively exploited

LiteSpeed's User-End cPanel Plugin, deployed across a large share of shared hosting providers, has a privilege escalation flaw rated at the maximum CVSS 4.0 score of 10.0. The bug is tracked as CVE-2026-48172 and is currently being abused in the wild, according to LiteSpeed's own security advisory and CISA's Known Exploited Vulnerabilities (KEV) catalog.

What it allows is straightforward and severe. Any single cPanel user account on a shared hosting box β€” including an attacker's own paid tenancy or a customer account compromised through password reuse β€” can call the plugin's lsws.redisAble function and end up running arbitrary scripts as root. From there, every other site, mailbox, and database on the same physical server is reachable.

According to The Hacker News' reporting, observed payloads include Mirai botnet variants repurposed to run on Linux web hosts, and a ransomware strain that encrypts site data on impacted servers. Patched releases shipped on May 19 through May 21, 2026, with NVD publishing the record on May 26.

A $5 hosting plan that lets you hold every neighbor on the box hostage

A CVSS-10 root takeover on shared hosting, from the attacker's economic perspective, is "a treasure chest with a comically low per-box acquisition cost just hit the market." Lining up the buyers on one side and the bystanders on the other shows why this CVE is already being weaponized.

The people who want root on a shared hosting box are not only nation-state crews going after corporate intranets. The most cash-motivated operators are cryptocurrency mining gangs, scam crews shopping for phishing-page hosting, ransomware operators who extort tens of thousands of dollars in exchange for decrypting site data, and botnet-as-a-service vendors who resell compromised boxes by the count. What they really want is a single server that hosts hundreds or thousands of tenant sites in one place. One successful root foothold gives them every tenant's control panel credentials, every email body, every database, the source code of payment pages, and customer lists in one sweep. This CVE turns a single cheap monthly plan into root over every neighboring site on the chassis, which is why Mirai variants and ransomware are already being observed firing on the same box at the same time. Hundreds of WordPress sites on the same chassis end up simultaneously seeded with mining scripts, then mutated into phishing pages, then finally encrypted by ransomware β€” a three-layer stack of damage playing out in the real world right now.

In industry terms, a cross-tenant root takeover on shared hosting is called "cross-tenant compromise," and it is the scenario every SaaS and hosting provider fears most. The LiteSpeed cPanel plugin exists precisely to expose LiteSpeed settings to each tenant under tenant-scoped privileges; with that separation broken, an attacker can pay for the cheapest hosting plan available and escalate to box-wide root from inside their own account. That root then reaches the cPanel backup system, the mail stack (Exim/Dovecot), every tenant's MySQL credentials, and TLS private keys β€” far enough to damage the hosting provider's brand at a reputational level.

A perfect-10 score measures the damage on one box, but the structure of shared hosting spreads the pain evenly across the rent roll: e-commerce store owners, small law firms, and local media outlets who rented space on the same chassis end up named in the provider's "to all tenants" apology email, listed as the source of skimmed card data, and handed a payment-processor shutdown notice β€” even though none of them missed a patch themselves. The very design that made shared hosting cheap ("split the cost across many tenants") flips into a joint liability contract for the breach.

What the LiteSpeed cPanel plugin is, and where it runs

A quick map of where this bug sits, so you can decide whether it touches you.

cPanel is the de-facto control panel that most hosting providers hand to their customers. It is the web UI tenants use to create mailboxes, add databases, switch PHP versions, and so on. LiteSpeed Web Server is one of the most-deployed web servers on the planet β€” W3Techs tracking puts it in the high single-digit to low double-digit percent range of the top 10M websites, particularly popular for accelerating WordPress.

The vulnerable component, the LiteSpeed User-End cPanel Plugin, is the glue that exposes LiteSpeed features (Redis cache toggling, page-cache settings, image optimization) to tenants from inside cPanel. If a hosting provider has deployed cPanel + LiteSpeed together, this plugin is almost certainly present.

In practical terms, that means any WordPress-focused shared hosting brand, low-cost cPanel VPS image, or budget reseller that runs LiteSpeed for its speed boost is in scope. Custom in-house control panels β€” which most large Japanese hosts use β€” are not affected.

What's broken: an admin function that runs anyone's script as root

The technical defect is small and easy to state. From LiteSpeed's advisory:

"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root."

lsws.redisAble is supposed to be a benign administrative helper for enabling Redis cache on a site. The implementation, however, mishandles privilege separation: instead of dropping to the caller's permissions, the helper runs the requested action with the server's root privileges. A feature designed to expose Redis toggling to tenants effectively became "a button that runs arbitrary commands as root."

In CWE terms this is CWE-266: Incorrect Privilege Assignment. Affected versions are LiteSpeed User-End cPanel Plugin v2.3 through v2.4.4. The fix landed in v2.4.5, with v2.4.7 (bundled with WHM Plugin v5.3.1.0) recommended as the current stable release.

How to check whether your server has already been hit (one command)

If you have root or sudo on the box, LiteSpeed publishes a one-line check against cPanel's request logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/

Every exploitation attempt traverses the JSON API endpoint cpanel_jsonapi_func=redisAble, so any hit is, by construction, a suspect request. Any non-empty result should be treated as a likely root-level compromise: validate the source IPs, block the malicious ones, and pivot to full incident response under the assumption the server was rooted. A clean result narrows the window but does not rule out earlier rotated-out activity, so apply the patch and tighten monitoring regardless.

Active exploitation: Mirai botnet variants and a ransomware strain in the wild

Per The Hacker News, the payloads observed dropped via CVE-2026-48172 fall into two buckets: Mirai-family botnet variants being repurposed to weaponize Linux hosting servers as DDoS launchpads, and a ransomware strain that encrypts hosted site data, databases, and backups in place.

No public proof-of-concept exploit code had been released as of this writing. As Cybersecurity News notes, "the technical simplicity of the vulnerability has enabled threat actors to develop private exploits rapidly." Read that as: there is no PoC because no PoC is necessary β€” operators are reimplementing the call from the advisory in a few lines.

Remediation: for server admins and for hosting tenants

The right action depends on which side of the wall you sit on.

β–Ό Hosting providers and VPS / dedicated server admins

Patch LiteSpeed User-End cPanel Plugin to v2.4.7 or later (shipped alongside WHM Plugin v5.3.1.0). Follow LiteSpeed's release log.

cPanel itself issued an emergency security update on May 19, 2026 that automatically uninstalls the vulnerable plugin on update. If your automatic cPanel updates are running, the plugin may already be gone; force the path explicitly to be sure:

# Force-apply cPanel updates (will pick up the auto-uninstall logic)
/scripts/upcp --force

# If patching is not yet possible, remove the plugin manually:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

After patching, run the grep check above on historical logs. If you see hits, work the incident as a confirmed root compromise β€” half-measures will not clean up an attacker who already owned the box.

β–Ό Shared hosting tenants

You cannot patch this yourself; the fix is your provider's responsibility. What you can do:

  • Confirm whether your hosting provider uses cPanel + LiteSpeed. (If your control panel URL contains :2083 or cpanel, you are on cPanel.)
  • Check your provider's status / security page for a CVE-2026-48172 advisory. If silence, open a support ticket and ask which plugin version they are running.
  • Rotate every credential tied to that hosting account: cPanel password, WordPress admin, mailbox passwords, and any API keys stored on the server. Assume credential exposure if any other tenant on the same box was compromised.

Disclosure timeline: from researcher report to forced auto-uninstall

← Swipe to navigate

Why shared hosting makes this worse: one weak tenant can topple the whole box

What turns CVE-2026-48172 from "another LPE" into a hosting-industry crisis is the entry condition: the attacker only needs any single valid cPanel session. That can be the attacker's own cheap shared hosting account, or a victim tenant's account picked up via credential stuffing. Either way, the moment that single session exists, every other site on the same physical server is reachable.

Shared hosting's business model packs hundreds to thousands of tenants on one box, relying on OS-level permission separation to keep them apart. CVE-2026-48172 punches a hole through that separation by handing root to anyone who can call a JSON API endpoint. In effect: "another tenant on your server had a weak password" becomes "your site got rooted too."

This pushes the operational burden well past "apply patch." Hosting providers also need to think about tenant-wide disclosure, breach-notification timing, and the legal exposure that comes with a single-incident, many-victim posture.

CVSS 10, on CISA KEV, with botnet and ransomware payloads. There is no room to wait.

A CVSS 4.0 score of 10.0, a CISA Known Exploited Vulnerabilities listing, and confirmed in-the-wild deployment of Mirai variants and ransomware leave server administrators with no real deliberation window. Patch now.

If you're a tenant, the one action worth taking today is checking whether your hosting provider runs cPanel + LiteSpeed. If they do, look for their advisory, rotate your credentials, and verify your most recent off-server backup.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django