2026 Q2 Threat Report: Track the Threats Shaping Enterprise Risk

Access the Exclusive Report
Get a Demo

Vulnerabilities

CVE-2026-48172

CVE-2026-48172 is a critical LiteSpeed cPanel plugin flaw that allows privilege escalation and potential root-level access.

CVSS Gauge
CVSS Needle
CVSS Score: 9.8

Summary

CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin before version 2.4.5. The flaw involves the plugin’s Redis enable/disable functionality and can allow attackers to gain root privileges, leading to full system compromise. The vulnerability has been actively exploited in the wild and is fixed in version 2.4.5, with LiteSpeed recommending upgrades to cPanel Plugin 2.4.7 and WHM Plugin 5.3.1.0.

Urgent Actions Required

  • Upgrade LiteSpeed User-End cPanel Plugin to version 2.4.5 or later (recommended: 2.4.7)
  • Upgrade LiteSpeed WHM Plugin to version 5.3.1.0 where applicable
  • Check cPanel logs for exploitation indicators using: cpanel_jsonapi_func=redisAble in /var/cpanel/logs and /usr/local/cpanel/logs/
  • Investigate and block suspicious IPs if log indicators are found
  • If exploitation is suspected, treat the system as potentially compromised and review system activity logs

Which Systems Are Vulnerable to CVE-2026-48172?

Technical Overview 

  • Vulnerability Type: Privilege Escalation via Improper Authorization in Redis Enable/Disable Function (CWE-266)
  • Affected Software/Versions:
    • LiteSpeed User-End cPanel Plugin < 2.4.5
    • cPanel environments using the vulnerable User-End plugin
    • LiteSpeed WHM Plugin is reported as not affected
  • CVSS Vector: v3.1
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
  • Patch Availability: Yes, available 
    1. Control Panel Plugins Release Log - LiteSpeed Technologies
    2. Security Update for LiteSpeed cPanel Plugin ⋆ LiteSpeed Blog

How Does the CVE-2026-48172 Exploit Work?

The attack typically follows these steps:

CVE-2026-48172

What Causes CVE-2026-48172?

Vulnerability Root Cause:   

This vulnerability is caused by incorrect privilege assignment in the LiteSpeed User-End cPanel Plugin. The issue is present in the handling of Redis enable and disable functionality exposed through the lsws.redisAble function. The plugin improperly handles requests to the cpanel_jsonapi_func=redisAble function, allowing users to perform privileged actions and potentially gain root access.

How Can You Mitigate CVE-2026-48172?

If immediate patching is delayed or not possible: 

  • Review cPanel logs and search for cpanel_jsonapi_func=redisAble in /var/cpanel/logs and /usr/local/cpanel/logs/ to identify possible exploitation activity.
  • Investigate any matching entries and validate associated IP addresses for legitimacy.
  • Block suspicious or unknown IP addresses identified from log analysis.
  • Examine system logs linked to those IPs to assess potential post-exploitation activity.
  • If compromise is suspected, treat the system as potentially breached and perform full incident response actions, including system and account review.

Which Assets and Systems Are at Risk?

  • Asset Types Affected:
    • cPanel Hosting Environments - Systems running LiteSpeed User-End cPanel Plugin versions prior to 2.4.5
    • Shared Hosting Servers - Multi-user environments where multiple cPanel accounts operate on the same infrastructure
    • LiteSpeed-integrated Hosting Stacks - Deployments using the LiteSpeed cPanel plugin for Redis-related functionality
  • Business-Critical Systems at Risk:
    • Hosting Infrastructure Servers - Risk of full system compromise due to root-level privilege escalation
    • Customer Hosting Accounts - Potential exposure where a single compromised cPanel account can impact the entire server
    • Managed Hosting Platforms - Environments where administrative control depends on plugin-based privilege boundaries
  • Exposure Level:
    • Internet-exposed cPanel Interfaces - Accessible administrative panels interacting with the JSON API endpoint
    • Shared Multi-tenant Hosting Systems - Higher risk due to cross-user impact within the same server
    • Unpatched LiteSpeed Deployments - Systems running plugin versions earlier than 2.4.5 remain vulnerable to exploitation

Will Patching CVE-2026-48172 Cause Downtime?

Patch application impact: Low downtime impact. Fix requires upgrading the LiteSpeed User-End cPanel Plugin to 2.4.5 or later (recommended: 2.4.7) and the WHM Plugin to 5.3.1.0. Update mainly involves plugin replacement, with minimal service interruption in most environments.

Mitigation (if immediate patching is not possible): Remove or disable the plugin to reduce risk. Check logs for cpanel_jsonapi_func=redisAble, investigate suspicious IPs, and review system activity. Systems remain vulnerable until patched.

How Can You Detect CVE-2026-48172 Exploitation?

Exploitation Signatures:

Look for cpanel_jsonapi_func=redisAble entries in /var/cpanel/logs and /usr/local/cpanel/logs/. Review any matches and investigate the associated IP addresses.

Indicators of Compromise (IOCs/IOAs):

  • Presence of cpanel_jsonapi_func=redisAble in cPanel logs
  • Entries found within /var/cpanel/logs or /usr/local/cpanel/logs/
  • Associated IP addresses linked to these log entries requiring validation

Behavioral Indicators:

  • Requests invoking the Redis enable/disable function through the cPanel JSON API
  • Privileged actions executed through the LiteSpeed User-End cPanel Plugin
  • Evidence of elevated execution resulting from plugin-triggered operations

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Any log occurrence of cpanel_jsonapi_func=redisAble
    • Requests targeting cPanel JSON API Redis functionality
    • Suspicious or unrecognized IPs interacting with cPanel plugin endpoints

Remediation & Response

  • Incident Response Considerations:
    • Treat systems showing evidence of exploitation as potentially compromised.
    • Review system logs for activity associated with suspicious IP addresses.
    • Assess whether privileged actions or root-level access may have occurred before remediation.

See How Rich Metadata Uncovers Threats Hidden in Network Traffic

      • Understand NetFlow and PCAP limitations
      • Improve threat detection with historical metadata
      • Learn from real-world investigation use cases
      • Discover four hidden insights metadata reveals
Download the Whitepaper

CVSS Breakdown Table 

MetricValue Description
Base Score9.8Critical-severity vulnerability with a high potential for system compromise
Attack VectorNetwork   The vulnerability can be exploited remotely over a network
Attack ComplexityLowExploitation does not require special conditions or complex preparation
Privileges RequiredNoneNo privileges are required according to the CVSS vector
User Interaction NoneExploitation does not depend on user action
Scope Unchanged The impact remains within the affected component's security scope
Confidentiality Impact HighSuccessful exploitation may expose sensitive information
Integrity Impact HighAttackers may perform unauthorized actions or modifications.
Availability ImpactHighExploitation may affect the availability of the affected system

References:

  1. NVD – CVE-2026-48172
  2. CVE Record: CVE-2026-48172

Vulnerability Overview 

CVE ID: CVE-2026-48172

CVE Title: LiteSpeed cPanel Plugin Privilege Escalation via Redis Function Misuse

Severity: Critical

CVSS Score: 9.8

Exploit Status: Actively exploited in the wild (May 2026)

Business Risk: Critical risk of full server compromise. Attackers can escalate from a cPanel user account to root access, allowing complete takeover of the hosting server.

Compliance Impact: Potential exposure of hosted customer environments and sensitive server-level data due to privilege escalation. Risk of violation of security and data protection requirements in multi-tenant hosting environments due to unauthorized root-level access.

Identifying CVEs Cover Banner

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo