{"id":253168,"date":"2026-05-23T03:35:00","date_gmt":"2026-05-23T07:35:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/23\/litespeed-cpanel-plugin-cve-2026-48172-exploited-to-run-scripts-as-root\/"},"modified":"2026-05-23T06:10:18","modified_gmt":"2026-05-23T10:10:18","slug":"litespeed-cpanel-plugin-cve-2026-48172-exploited-to-run-scripts-as-root","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/23\/litespeed-cpanel-plugin-cve-2026-48172-exploited-to-run-scripts-as-root\/","title":{"rendered":"LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/litespeed-cpanel-plugin-cve-2026-48172.html\">LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/litespeed-cpanel-plugin-cve-2026-48172.html\">https:\/\/thehackernews.com\/2026\/05\/litespeed-cpanel-plugin-cve-2026-48172.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-23 03:35:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 23, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Web Security<\/span><\/p>\n<p>A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.<\/p>\n<p>The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.<\/p>\n<p>&#8220;Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root,&#8221; LiteSpeed said.<\/p>\n<p>The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4. LiteSpeed&#8217;s WHM plugin is not impacted. The issue has been addressed in version 2.4.5. Security researcher David Strydom has been credited with discovering and reporting the flaw.<\/p>\n<p>LiteSpeed noted that the &#8220;vulnerability is being actively exploited,&#8221; but refrained from sharing additional details. It has provided the following indicator of compromise &#8211;<\/p>\n<p>grep -rE &#8220;cpanel_jsonapi_func=redisAble&#8221; \/var\/cpanel\/logs \/usr\/local\/cpanel\/logs\/ 2\/dev\/null<\/p>\n<p>If running the aforementioned &#8220;grep&#8221; command does not produce any output, the server is not affected. However, if there is any output, users are advised to examine the IP addresses in the list and determine if they are legitimate, and if not, block them.<\/p>\n<p>Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 as part of WHM plugin version 5.3.1.0.<\/p>\n<p>Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability. If immediate patching is not an option, it&#8217;s recommended to remove the user-end plugin by running the below command &#8211;<\/p>\n<p>\/usr\/local\/lsws\/admin\/misc\/lscmctl cpanelplugin &#8211;uninstall<\/p>\n<p>The development comes weeks after a critical cPanel vulnerability&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/litespeed-cpanel-plugin-cve-2026-48172.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https:\/\/thehackernews.com\/2026\/05\/litespeed-cpanel-plugin-cve-2026-48172.html Publish Date: 2026-05-23 03:35:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":253169,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjM0W1UqsbcZ-8IV_n8ov3V24MQ74VaKe3auGFWNunDUfubEBeKEGREuFjC9-i7H_fLfSwFQQ5wqe8bhVWvAUVC_8U5AQg1c1Qbe-M7bSjuWCwcjTRrc2Du7L0Tm-NKO7ErhPUTR7YS6b1vkpmbYS1VaClWUGOvGe4cxv-jHkQFZMXbSDLfBiF7FFwd7Nfe\/s1600\/lightspeed.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-253168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253168"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=253168"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253168\/revisions"}],"predecessor-version":[{"id":253170,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253168\/revisions\/253170"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/253169"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=253168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=253168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=253168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}