LiteSpeed cPanel Flaw Grants Root Access—CISA Sets 3-Day Deadline

CISA has given federal agencies just three days to patch a maximum-severity vulnerability in the LiteSpeed cPanel plugin that's being actively exploited to gain root access on web servers. CVE-2026-48172 carries a CVSS score of 10.0 and allows any authenticated cPanel user—including compromised accounts—to execute arbitrary scripts with full root privileges.

The flaw was added to CISA's Known Exploited Vulnerabilities catalog on May 26, 2026, with a mandatory remediation deadline of May 29 for federal agencies. Private organizations should treat this with equal urgency given confirmed active exploitation.

TL;DR

• What happened: Critical privilege escalation in LiteSpeed cPanel plugin versions 2.3-2.4.4
• Who's affected: Any shared hosting environment using LiteSpeed with the user-end cPanel plugin
• Severity: CVSS 10.0 (Maximum) - actively exploited in the wild
• Action required: Upgrade to WHM Plugin 5.3.1.0 or uninstall the user-end plugin immediately

How the Exploit Works

The vulnerability resides in the lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default. Due to incorrect privilege assignment, low-privileged users can leverage this endpoint to execute scripts with elevated root permissions.

According to LiteSpeed's advisory, "Any cPanel user (including an attacker or a compromised account) may exploit" this flaw to achieve full server compromise. The attack requires only valid cPanel credentials—which are commonly targeted through credential stuffing, phishing, or infostealer malware.

This isn't hypothetical. LiteSpeed confirmed the "vulnerability is being actively exploited," though they've provided limited technical specifics about observed attacks. The simplicity of exploitation—requiring just a single API call—makes this particularly dangerous for shared hosting providers managing thousands of customer accounts.

Who's Affected

The vulnerability impacts LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. Notably, the LiteSpeed WHM plugin itself is not affected—only the user-facing cPanel component.

If you're running a shared hosting environment with LiteSpeed, assume you're at risk. The cPanel plugin is commonly deployed alongside LiteSpeed Web Server to give customers performance optimization controls. Each customer account becomes a potential entry point for full server takeover.

The broader hosting ecosystem has faced mounting pressure this year. We covered a similar critical vulnerability in Drupal that saw 15,000 attack attempts within days of disclosure, and the recent Ghost CMS campaign that compromised over 700 websites including major universities.

Detecting Compromise

Organizations can check for exploitation attempts using this command:

grep -rE "cpanelplugin_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/

Any output warrants immediate investigation. Review source IP addresses to determine if requests originated from legitimate users or external attackers.

Also audit recent cron jobs, SSH authorized_keys files, and any scripts in privileged directories. Root-level access means attackers could have established persistence anywhere on the system.

Remediation Steps

1. Upgrade immediately to LiteSpeed WHM Plugin version 5.3.1.0, which bundles cPanel plugin v2.4.7
2. If patching isn't immediately possible, remove the user-end plugin by running:

   /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
   

3. Audit all cPanel accounts for unauthorized access
4. Review logs for evidence of exploitation using the grep command above
5. Check for persistence mechanisms including unauthorized SSH keys and cron jobs

Why This Matters

This disclosure follows closely behind CVE-2026-41940, another critical cPanel vulnerability actively exploited to deploy Mirai botnet variants and Sorry ransomware. The pattern suggests attackers are systematically targeting web hosting infrastructure.

Shared hosting environments are attractive targets because a single vulnerability can cascade across hundreds or thousands of websites. Root access on a shared server means every customer's data, credentials, and applications are exposed. Attackers can inject malware into legitimate sites, steal databases, or pivot to attack visitors through drive-by downloads.

For hosting providers, this vulnerability represents an existential risk. Customer trust evaporates quickly when a breach occurs, and the liability exposure from compromised client data can be significant. The three-day CISA deadline reflects how seriously the government views this threat.

The recurring pattern of critical vulnerabilities in web infrastructure should prompt organizations to reconsider their patching processes. Waiting for scheduled maintenance windows isn't acceptable when actively exploited zero-days drop with near-weekly frequency.

Frequently Asked Questions

How do I know if my server uses the vulnerable plugin?

Check if the file /usr/local/cpanel/3rdparty/bin/lscpctl exists or run ls /usr/local/lsws/admin/misc/lscmctl. If LiteSpeed cPanel integration is installed, assume you're affected unless you're running version 2.4.7 or higher.

Does this affect LiteSpeed Enterprise or OpenLiteSpeed without cPanel?

No. This vulnerability is specific to the cPanel user-end plugin. Standalone LiteSpeed installations without cPanel integration are not affected.