CVE-2026-48172
Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- Range: <2.4.5
- cpe:2.3:a:litespeedtech:litespeed_cpanel_plugin:*:*:*:*:*:*:*:*Range: <2.4.7
- Range: <2.4.5
Patches
Vulnerability mechanics
References
4- blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/nvdVendor Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
- www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanelnvdProduct
- www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-lognvdRelease Notes
News mentions
9- CISA warns of another cPanel plugin flaw exploited in attacksBleepingComputer · Jun 16, 2026
- Breach Roundup: US Troops Tracked With Cell Phone DataGovInfoSecurity · May 29, 2026
- CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in AttacksCyber Security News · May 27, 2026
- CISA gives feds 4 days to patch actively exploited cPanel plugin flawBleepingComputer · May 27, 2026
- CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-DaySecurityWeek · May 27, 2026
- ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain ChaosThe Hacker News · May 25, 2026
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as RootThe Hacker News · May 23, 2026
- WordPress CVE-2026-48172 Added to CISA KEV Under Active ExploitationVypr Intelligence · May 21, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts