A newly disclosed critical vulnerability affecting the LiteSpeed User-End cPanel Plugin is being actively exploited by attackers, according to security warnings released by LiteSpeed Technologies.
Tracked as CVE-2026-48172, the flaw carries the maximum possible CVSS severity score of 10.0 and could allow attackers to execute arbitrary scripts with root-level privileges on vulnerable servers.
Privilege Escalation Vulnerability Exposes Servers
The security issue stems from an incorrect privilege assignment within the plugin’s lsws.redisAble function. Researchers found that any cPanel account — including compromised or low-privileged users — could abuse the flaw to run malicious commands as the root user.
LiteSpeed confirmed that the vulnerability impacts all plugin versions between 2.3 and 2.4.4, while the WHM plugin itself remains unaffected.
The issue has been fixed in version 2.4.5, with additional security improvements later included in version 2.4.7.
Active Exploitation Confirmed
LiteSpeed warned that the vulnerability is already being exploited in real-world attacks, although technical details regarding exploitation methods have not been publicly disclosed.
To help administrators detect suspicious activity, the company shared an indicator-of-compromise command that checks for malicious requests targeting the vulnerable function.
If suspicious entries appear in server logs, administrators are advised to review the originating IP addresses and block any unauthorized access attempts immediately.
Additional Security Patches Released
Following an internal review of both its cPanel and WHM plugins, LiteSpeed announced that it patched several additional potential attack vectors discovered during the investigation.
The latest secure release is bundled within:
- LiteSpeed WHM Plugin version 5.3.1.0
- cPanel Plugin version 2.4.7 or later
Security experts strongly recommend upgrading immediately to reduce the risk of compromise.
Temporary Mitigation Available
For organizations unable to patch immediately, LiteSpeed recommends removing the vulnerable user-end plugin entirely until updates can be applied.
The company provided an uninstall command that disables the affected component from the server environment.
Growing Threats Targeting Hosting Infrastructure
The discovery comes amid increasing attacks targeting hosting control panels and web server infrastructure. Earlier this year, another critical cPanel vulnerability, CVE-2026-41940, was reportedly exploited to deploy Mirai botnet variants and ransomware payloads.
Cybersecurity analysts warn that hosting environments remain attractive targets because successful compromises can provide attackers with access to multiple customer websites and services simultaneously.
Security Experts Urge Immediate Action
Administrators running LiteSpeed environments are advised to:
- Upgrade to the latest patched plugin versions immediately
- Audit server logs for suspicious requests
- Restrict unnecessary user permissions
- Enable multi-factor authentication for hosting accounts
- Monitor systems for unauthorized root-level activity
Given the severity of the flaw and confirmed exploitation attempts, delaying mitigation could expose servers to full system compromise.
Conclusion
The active exploitation of CVE-2026-48172 highlights the ongoing risks facing web hosting infrastructure and control panel ecosystems. As attackers increasingly target privileged server components, rapid patch management and continuous monitoring remain essential for protecting production environments from large-scale compromise.
