A maximum-severity security vulnerability impacting LiteSpeed Person-Finish cPanel Plugin has come below lively exploitation within the wild.
The flaw, tracked as CVE-2026-48172 (CVSS rating: 10.0), pertains to an occasion of incorrect privilege project that an attacker might abuse to run arbitrary scripts with elevated permissions.
“Any cPanel person (together with an attacker or a compromised account) might exploit the lsws.redisAble perform to execute arbitrary scripts as root,” LiteSpeed stated.
The vulnerability impacts all variations of the plugin between 2.3 and a pair of.4.4. LiteSpeed’s WHM plugin shouldn’t be impacted. The difficulty has been addressed in model 2.4.5. Safety researcher David Strydom has been credited with discovering and reporting the flaw.
LiteSpeed famous that the “vulnerability is being actively exploited,” however avoided sharing extra particulars. It has supplied the next indicator of compromise –
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/native/cpanel/logs/ 2>/dev/null
If operating the aforementioned “grep” command doesn’t produce any output, the server shouldn’t be affected. Nonetheless, if there’s any output, customers are suggested to look at the IP addresses within the listing and decide if they’re reliable, and if not, block them.
Following a security evaluate of its cPanel and WHM plugins within the wake of the vulnerability, LiteSpeed stated it has patched extra potential assault vectors in each plugins and launched cPanel plugin model 2.4.7 as a part of WHM plugin model 5.3.1.0.
Customers are suggested to improve to LiteSpeed WHM Plugin model 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or greater, to patch the vulnerability. If rapid patching shouldn’t be an choice, it is advisable to take away the user-end plugin by operating the beneath command –
/usr/native/lsws/admin/misc/lscmctl cpanelplugin --uninstall
The event comes weeks after a vital cPanel vulnerability (CVE-2026-41940, CVSS rating: 9.8) was recognized as actively exploited by unknown menace actors to deploy Mirai botnet variants and a ransomware pressure known as Sorry.
