LiteSpeed cPanel Plugin Zero-Day CVE-2026-48172 Actively Exploited to Grant Root Access on Linux Servers
LiteSpeed has confirmed active exploitation of CVE-2026-48172, a zero-day privilege escalation flaw in its cPanel user-end plugin that allows any valid cPanel account to execute scripts as root. All deployments running plugin versions 2.3 through 2.4.4 should patch immediately to version 2.4.7.

Server administrator reviewing critical security alerts in a data centre with red warning lights on server racks
LiteSpeed Technologies has disclosed and patched a critical zero-day privilege escalation vulnerability in its cPanel user-end plugin that is already being actively exploited in the wild. The flaw allows any valid cPanel user account to execute arbitrary scripts with root privileges, enabling complete server takeover without requiring administrative credentials.
The vulnerability is tracked as CVE-2026-48172 and affects LiteSpeed cPanel user-end plugin versions 2.3 through 2.4.4. Given that exploitation has been confirmed in the wild, hosting providers and server administrators running affected versions should treat this as an immediate patching priority. This is the kind of actively exploited flaw that sits alongside the broader vulnerability crisis highlighted by Project Glasswing this week, where the gap between discovery and patching remains dangerously wide across the software industry.
How the Vulnerability Works
The flaw resides in the lsws.redisAble function exposed via the LiteSpeed cPanel user-end plugin. Any cPanel user account, including low-privileged tenant accounts on shared hosting environments, can invoke this function to execute arbitrary scripts with root-level permissions on the underlying Linux server.
The practical consequence is severe. A malicious tenant, or an attacker who has compromised any single cPanel account through phishing, credential stuffing, or brute force, can pivot from that limited foothold to full control of the entire server. Every other site, database, and account hosted on that server is then exposed. The SEPPMail email gateway flaws disclosed earlier this month followed a similar pattern of unauthenticated access enabling full server compromise, underlining how frequently critical infrastructure-level flaws are being discovered and exploited in 2026.
LiteSpeed confirmed the vulnerability was exploited in the wild prior to disclosure, making it a true zero-day at the point of discovery. Security researcher David Strydom first reported the flaw on 19 May 2026, triggering an urgent coordinated response from both LiteSpeed and the cPanel/WebPros team.
Timeline of Response
On 19 May 2026, Strydom filed the initial report. cPanel pushed an automated removal of the vulnerable plugin through its security update channel. Administrators can force this update manually with the following command.
/scripts/upcp --force
On 20 May 2026, LiteSpeed released cPanel plugin version 2.4.6 and WHM plugin version 5.3.0.0 and applied for the CVE identifier. On 21 May 2026, following a full security review, LiteSpeed released cPanel plugin version 2.4.7 and WHM plugin version 5.3.1.0 with additional hardening. Secondary issues discovered during the review have been patched with no current reports of exploitation.
Checking for Exploitation on Your Servers
Administrators should immediately check cPanel logs for evidence of exploitation using the following command.
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
Any results should be treated as a confirmed incident. Validate source IP addresses, block suspicious addresses immediately, and conduct a full review of system logs for post-compromise activity including new user accounts, modified cron jobs, or unexpected outbound connections.
For organisations that cannot patch immediately, LiteSpeed recommends fully uninstalling the user-end plugin as a containment measure.
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
The recommended upgrade target is LiteSpeed WHM Plugin version 5.3.1.0, bundled with cPanel plugin version 2.4.7 or higher.
Implications for Gulf Hosting Providers and Enterprise Teams
For Dubai and Gulf-based managed service providers, web hosting companies, and enterprises running LiteSpeed on shared or multi-tenant infrastructure, the risk is particularly acute. Multi-tenant environments where multiple clients share a single server are exactly the scenario this flaw exploits. A compromise of any one client account becomes a pathway to full infrastructure control.
For Saudi Arabia and UAE hosting operators who have not yet patched, the combination of active exploitation confirmed in the wild and the availability of a reliable exploit path from any cPanel user account means the window for unpatched exposure should be measured in hours, not days.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.