What is CVE-2026-48172?
CVE-2026-48172 is an incorrect privilege assignment flaw in the LiteSpeed User-End cPanel Plugin that allows any authenticated cPanel user to execute arbitrary scripts as root. The bug sits in the plugin's lsws.redisAble function, which can be invoked through the standard cPanel JSON API to run code with elevated privileges instead of the calling user's own.
The vulnerability carries a CVSS v4.0 base score of 10.0 (Critical). NVD lists the weakness as CWE-266 (Incorrect Privilege Assignment), and the CVE has been added to the CISA Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 16, 2026.
Exploitation does require an authenticated cPanel account, but in shared hosting environments and managed service contexts that bar is low. A single compromised hosting account, or any malicious customer on a shared server, is enough to escalate to root and take full control of the host. LiteSpeed has confirmed active exploitation in the wild, and the LiteSpeed WHM plugin (the parent plugin) is not affected by this issue.
What assets are affected by CVE-2026-48172?
The vulnerability affects the LiteSpeed User-End cPanel Plugin in versions 2.3 through 2.4.4. It was first addressed in version 2.4.5, with LiteSpeed later releasing cPanel plugin 2.4.7 as part of LiteSpeed WHM Plugin 5.3.1.0 following a broader review for related attack vectors.
In practice, an affected asset is a publicly reachable cPanel or WHM control panel running on a server that also has LiteSpeed Web Server installed with the user-end plugin enabled. These tend to be Linux web hosts in shared hosting, reseller hosting, and managed VPS environments, where cPanel is the primary administration interface and LiteSpeed has been swapped in for Apache or Nginx as the web server. The same hosts often run hundreds of customer sites side by side, which is exactly the deployment pattern that makes a root-level escalation so damaging.
These control panels are intentionally internet-facing because customers need to log in remotely to manage their hosting accounts. That design reality, combined with the LiteSpeed plugin being an opt-in component that administrators may have installed years ago and forgotten about, means a meaningful share of vulnerable installations are likely still online.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 20.3% of observed assets, with Consumer Discretionary contributing 16.9% and Communication Services close behind at 16.1%.
Industrials sits at the top because the sector tends to operate sprawling, federated digital estates. Manufacturers, logistics providers, and capital goods firms frequently rely on regional websites, partner microsites, and customer portals that have been spun up over decades through acquisitions, joint ventures, and outsourced marketing engagements.
Many of these properties were originally provisioned on shared hosting with cPanel as the management layer, and ownership has drifted away from central IT. Consumer Discretionary and Communication Services show a similar pattern, with large numbers of brand sites, campaign domains, and media properties sitting on hosted infrastructure that the parent organization no longer actively tracks.
The cross-sector spread is the more important signal. Nearly half of all observed exposure falls into the long tail of sectors outside the top three, which suggests this is not a problem confined to any single industry. The common thread is hosted infrastructure that was set up to be managed by someone else and then quietly inherited back.
When the LiteSpeed plugin was installed on those hosts, often as part of a default hosting build, it became an asset the customer is now responsible for patching but is unlikely to know exists.
Are fixes available?
Yes. LiteSpeed addressed the issue in cPanel plugin version 2.4.5 and recommends upgrading to LiteSpeed WHM Plugin 5.3.1.0, which bundles cPanel plugin version 2.4.7 or later after a wider security review. Administrators running any version from 2.3 through 2.4.4 should treat their hosts as exposed until the upgrade is confirmed.
For installations where patching cannot be applied immediately, LiteSpeed recommends removing the user-end cPanel plugin entirely using its uninstall command. The WHM plugin is unaffected and does not need to be removed.
Given confirmed in-the-wild exploitation and CISA KEV listing, defenders should verify the running plugin version directly on each host rather than rely on inventory records. Hosted environments and shared infrastructure are particularly likely to have version drift between what the inventory says and what is actually deployed.
Are there any other recommended actions to take?
Until patching is confirmed, defenders should:
- Inventory all cPanel and WHM hosts and identify which run the LiteSpeed user-end plugin
- Run the LiteSpeed-provided IoC check: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/
- Investigate any matching log entries for unfamiliar source IPs and block them at the perimeter
- Audit recently created user accounts and any files with elevated permissions on affected servers
- Restrict access to cPanel and WHM interfaces by source IP where the customer model allows it
- Review hosting customer accounts for recent privilege or configuration changes
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-48172 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
