CVE-2026-48172

Vulnerability

The vulnerability resides in the LiteSpeed User-End cPanel Plugin versions before v2.4.5. The plugin mishandles Redis enable/disable features, allowing privilege escalation. Detection is done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ in Bash [1]. The issue was reintroduced in an earlier version and only fixed in v2.4.5 which disabled the affected Redis features; they were later re-enabled with security hardening in v2.4.6 [1][2].

Exploitation

An attacker with network access to a server running the vulnerable plugin can send crafted requests exploiting the mishandling of Redis enable/disable functions. The detection command looks for the string cpanel_jsonapi_func=redisAble in cPanel logs, indicating the attacker's request pattern. Affected logs will include IP addresses which should be examined to determine if they are valid [1]. The attacker does not need prior authentication if the cPanel plugin's API endpoint is exposed.

Impact

Successful exploitation leads to privilege escalation, possibly to root. This gives the attacker full control over the compromised server, including all hosted accounts, data, and the ability to install malicious software. The vulnerability was exploited in the wild in May 2026 [1].

Mitigation

The immediate mitigation is to upgrade to the fixed version: LiteSpeed cPanel User-End Plugin v2.4.6 (released 2026-05-20) which reintroduces the Redis features with security hardening [1]. If upgrading is not possible, the vulnerability can be mitigated by removing the Redis features as was done in v2.4.5, but the vendor recommends upgrading. Additionally, administrators should examine system logs for affected IP addresses and block suspicious ones as described in the detection guidance [1].