LiteSpeed has disclosed and patched a critical zero-day privilege escalation vulnerability in its cPanel user-end plugin that is already being actively exploited by threat actors to gain root access on Linux hosting servers. The flaw, tracked as CVE-2026-48172, affects LiteSpeed cPanel user-end plugin versions from v2.3 up to but not including v2.4.5, and represents one of the most serious hosting infrastructure threats disclosed this week.
What Is CVE-2026-48172?
According to LiteSpeed’s official advisory, the vulnerability resides in the lsws.redisAble function exposed through the user-end cPanel plugin. This function can be abused by any valid cPanel user account to execute arbitrary scripts with full root privileges on the underlying Linux server.
Because exploitation only requires access to a standard cPanel user account, the attack surface is remarkably broad. A malicious tenant on a shared hosting platform — or an attacker who has already compromised a single hosting account — can pivot directly to a complete server takeover, gaining unrestricted access to all hosted websites, databases, and sensitive data on that machine.
LiteSpeed confirmed the vulnerability has been exploited in the wild, classifying it as a true zero-day at the time of its initial discovery by security researcher David Strydom on May 19, 2026.
Who Is Affected?
The flaw impacts any deployment running the vulnerable user-end cPanel plugin between versions v2.3 and v2.4.4 inclusive. This covers a wide swath of shared and reseller hosting environments globally, as LiteSpeed Web Server is extensively deployed across cPanel-based hosting infrastructure. Importantly, the WHM (WebHost Manager) plugin itself is not directly affected — the vulnerability is specific to the user-facing cPanel plugin component.
Hosting providers, managed service providers, and individual server administrators who have deployed LiteSpeed on cPanel servers should treat this as an emergency requiring immediate action.
Detection: How to Check If You Are Already Compromised
Administrators can quickly scan for signs of exploitation by searching cPanel logs for calls to the vulnerable function using the following command:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullIf this command returns no output, there is currently no evidence of exploitation on that server. However, any matching entries should trigger a full incident response: validate source IP addresses, block suspicious addresses, review system logs for post-compromise activity, and consider the server potentially compromised until proven otherwise.
Immediate Remediation Steps
LiteSpeed strongly advises upgrading to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel plugin v2.4.7) or higher. This release includes the fix for CVE-2026-48172 along with additional hardening changes identified during a broader security review conducted in response to this incident.
For organizations that cannot patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as an emergency containment measure:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallIn parallel, cPanel has pushed an automated removal of the vulnerable plugin via its May 19, 2026 security update. Customers can force an update with:
/scripts/upcp --forceTimeline of the Emergency Response
The response to this vulnerability was notably swift. After David Strydom’s initial report on May 19, LiteSpeed and the cPanel/WebPros security teams initiated an emergency response cycle:
- May 19: Vulnerability reported; LiteSpeed releases cPanel plugin v2.4.6 and WHM plugin v5.3.0.0
- May 20: CVE-2026-48172 officially registered
- May 21: Full security review completed; LiteSpeed ships cPanel plugin v2.4.7 and WHM plugin v5.3.1.0 with additional hardening
While additional issues were discovered and patched during this extended review, LiteSpeed reports no current evidence that those secondary vulnerabilities are being actively exploited in the wild.
Why This Matters for Hosting Providers
Zero-day vulnerabilities in web hosting infrastructure are particularly dangerous due to the shared-tenancy nature of most hosting environments. A single compromised account escalating to root means every website hosted on that server is potentially exposed — customer data, credentials, SSL certificates, and source code alike. For hosting providers, this is not merely a security incident but a business continuity and legal liability event that may trigger regulatory notification obligations.
The active exploitation of CVE-2026-48172 underscores the urgency. Organizations must prioritize patching or uninstalling the vulnerable plugin without delay, audit affected systems for signs of compromise, and implement network-level controls to limit exposure of cPanel interfaces to trusted IP ranges only.