CVE-2026-48172 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-21

Added to CISA KEV: 2026-05-26 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Run detection command: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
IMMEDIATE: Update LiteSpeed WHM Plugin to version 5.3.1.0 and cPanel Plugin to version 2.4.7
URGENT: Examine system logs for suspicious IP addresses and block any unauthorized access attempts
HIGH PRIORITY: Verify system integrity and check for signs of unauthorized privilege escalation
Monitor Redis enable/disable function usage and review access logs for anomalous activity

🔍 Web Intelligence

Key Sources:

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts ...
CVE-2026-48172 lets cPanel users run scripts as root, affecting LiteSpeed plugin 2.3–2.4.4 and exposing servers. ... A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. ... The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse ... LiteSpeed noted that the "vulnerability is being actively exploited," but refrained from sharing additional details. ... The development comes weeks after a critical cPanel vulnerability ( CVE-2026-41940 , CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry. ... The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said.
CVE-2026-48172 | Tenable®
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. ... If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses.
NVD - CVE-2026-48172
CVE-2026-48172 Detail. Description. LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026.If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them.

🔴 CVE-2026-48172

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence

Key Sources: