🔴 CVE-2026-48172

Critical privilege escalation vulnerability in LiteSpeed cPanel/WHM plugins allowing attackers to potentially gain root access via network exploitation. This vulnerability is actively exploited in the wild and affects widely deployed web hosting control panel systems.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-21

Added to CISA KEV: 2026-05-26 5 DAYS BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 748k+ internet-facing instances →
Query: http.title:"cPanel"   View on Shodan ↗
This query identifies cPanel installations but cannot determine LiteSpeed plugin presence or version, potentially overcounting exposed instances since not all cPanel installations use LiteSpeed plugins.
Checked: 2026-06-04

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-05-27)

CVE-2026-48172 is a critical security vulnerability affecting the LiteSpeed User-End cPanel Plugin (versions prior to 2.4.5) [2] [1].

Below is the current understanding of the vulnerability based on available reports:

Vulnerability Overview
  • Nature of Flaw: The vulnerability is an instance of incorrect privilege assignment that allows for privilege escalation, potentially granting an attacker root-level access [1].
  • CVSS Score: 10.0 (Maximum Severity) [1].
Exploitation Details
  • Active Exploitation: The vulnerability is confirmed to be under active exploitation in the wild as of May 2026 [2] [1].
  • Attack Vector: Any cPanel user—including an attacker who has already compromised a standard user account—can exploit the `lsws.redisAble` function to execute arbitrary scripts with root privileges [1].
  • Internet-Facing Applications: Because the vulnerability resides in a cPanel plugin, it directly affects internet-facing web hosting servers that utilize this specific plugin configuration.
  • Targeted Attacks: While LiteSpeed has confirmed active exploitation, specific details regarding whether this is being used in highly targeted campaigns versus opportunistic mass exploitation have not been publicly detailed by the vendor [1].
CISA Known Exploited Vulnerabilities (KEV) Status
As of May 27, 2026, there is no explicit mention in the provided search results confirming its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, given its active exploitation status and high severity, users should monitor official CISA channels for updates.
Mitigation and Detection
  • Patching: Users are urged to update the LiteSpeed User-End cPanel Plugin to version 2.4.5 or later [2].
  • Detection: Administrators can examine system logs for suspicious activity associated with the `lsws.redisAble` function. If logs indicate unauthorized use or unexpected output, it is recommended to identify the source IP addresses and block them accordingly [2] [3].

Sources

  1. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts ...

    CVE-2026-48172 lets cPanel users run scripts as root, affecting LiteSpeed plugin 2.3–2.4.4 and exposing servers. ... A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 1…

  2. CVE-2026-48172 | Tenable®

    LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. ... If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, deter…

  3. NVD - CVE-2026-48172

    CVE-2026-48172 Detail. Description. LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026.If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed