Security Intelligence
Loading table of contents...
At a glance: A critical vulnerability in the LiteSpeed cPanel plugin is actively exploited and allows low-privileged users to gain root-level access. The flaw affects widely deployed shared hosting environments, where a single compromised account can lead to full server takeover. Upgrading to patched plugin versions or removing the vulnerable component reduces exposure and limits the risk of system-wide compromise.
Threat summary
On May 21, LiteSpeed released cPanel plugin version 2.4.7 and Web Host Manager (WHM) plugin version 5.3.1.0 to address an actively exploited vulnerability.
The issue affects cPanel servers running the LiteSpeed user‑end plugin versions 2.3 through 2.4.4. The WHM plugin itself is not vulnerable; however, it bundles the affected user-end plugin.
The issue affects the LiteSpeed User-End cPanel Plugin, which extends LiteSpeed Web Server functionality into the cPanel interface used by hosting customers. LiteSpeed Web Server is widely deployed software responsible for delivering website content, often replacing Apache in hosting environments.
cPanel acts as the management interface where customers configure domains, applications, and hosting settings. The user-end plugin integrates directly into this interface, allowing individual users to control performance features such as caching and Redis for their own accounts.
The vulnerability, tracked as CVE-2026-48172, resides in the Redis enable and disable functionality. Improper handling of JSON API requests allows user-supplied input to reach backend operations executed with root privileges without adequate validation.
An authenticated user with a low-privileges cPanel account can send a crafted JSON API request to the Redis management function through the standard cPanel interface, resulting in privilege escalation and potential root-level command execution.
This flaw breaks the trust boundary between user-controlled input and privileged system operations, enabling full server compromise from a single account. The impact could be significant in shared hosting environments, where access to one account can expose all hosted workloads.
The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) v4.0 score of 10.0.
Analysis
The plugin’s design increases risk by exposing privileged backend operations to all authenticated users, including low-privileged accounts. In shared hosting environments, this expands the attack surface, as a single compromised account or weak credential can provide a path to system-level access.
Organizations running affected plugin versions are exposed, particularly where cPanel is internet-accessible. Any valid cPanel account can be used to exploit the flaw, resulting in root-level command execution, modification of protected configurations, and persistence.
Upgrading to LiteSpeed WHM plugin version 5.3.1.0 or later installs the fixed cPanel plugin version 2.4.7. Where immediate upgrade is not feasible, removing the user-end plugin using the vendor’s uninstall command reduces exposure, which may result in some loss of functionality.
Logs can be reviewed for the string cpanel_jsonapi_func=redisAble to identify potential exploitation attempts, followed by validation of source IP addresses and related activity. System logs can also be examined for signs of privilege escalation or unauthorized configuration changes, and restricting access to cPanel interfaces at the network level can further reduce exposure.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
