A critical security vulnerability impacting the **LiteSpeed** User-End cPanel Plugin has come under active exploitation. ### CVE-2026-48172: Root Privilege Escalation The flaw, tracked as **CVE-2026-48172** (CVSS score: 10.0), stems from an incorrect privilege assignment. An attacker can exploit this to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," **LiteSpeed** stated in a security advisory. ### Affected Versions and Mitigation The vulnerability affects all plugin versions between 2.3 and 2.4.4. The **LiteSpeed** WHM plugin is *not* affected. The issue is resolved in version 2.4.5. Security researcher **David Strydom** is credited with discovering and reporting the flaw. **LiteSpeed** has acknowledged that the vulnerability is being actively exploited but has refrained from providing further details. They have provided the following Indicator of Compromise (IOC): grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null If the command produces no output, the server is likely not affected. However, any output warrants immediate examination of the listed IP addresses to determine their legitimacy. Suspicious IPs should be blocked. ### Additional Security Patches Following a security review, **LiteSpeed** has patched additional potential attack vectors in both cPanel and WHM plugins. They released cPanel plugin version 2.4.7 as part of WHM plugin version 5.3.1.0. Users are strongly advised to upgrade to **LiteSpeed** WHM Plugin version 5.3.1.0 (bundled with cPanel plugin v2.4.7 or higher) to patch the vulnerability. If immediate patching is not feasible, the user-end plugin can be temporarily removed using the following command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall ### Background: Recent cPanel Vulnerabilities This development follows the recent discovery of another critical cPanel vulnerability (**CVE-2026-41940**, CVSS score: 9.8) which was actively exploited to deploy **Mirai** botnet variants and the **Sorry** ransomware.