LiteSpeed cPanel Plugin CVE-2026-48172: Arbitrary Root Script Execution (Active Exploitation)

Critical: Any cPanel User Can Become Root

LiteSpeed's cPanel plugin has a privilege escalation flaw that's actively being exploited right now. Any cPanel user on your server—including a compromised account—can run arbitrary scripts as root. CVSS 10.0. This isn't theoretical.

What this means: If someone gets into any single cPanel account on your server, they own the entire server.

The Vulnerability: redisAble Function Exposed

The vulnerability lives in the lsws.redisAble function. This function should be restricted, but it isn't. Any cPanel user can call it directly to execute arbitrary scripts with root privileges.

LiteSpeed didn't provide much detail on the exact mechanics (responsible disclosure), but the exploitation is straightforward: attacker calls redisAble → script runs as root → server is compromised.

Affected versions: LiteSpeed cPanel Plugin 2.3 through 2.4.4.

Not affected: LiteSpeed WHM plugin (separate component).

Who's at Risk

Direct risk:

• Any server running LiteSpeed cPanel Plugin 2.3–2.4.4
• cPanel with multiple user accounts (shared hosting, reseller environments)
• Servers with untrusted or semi-trusted users

Indirect risk:

• If any single cPanel account is compromised (via malware, brute force, stolen credentials), the attacker escalates immediately to root
• The account doesn't even need special permissions; it's a blanket privilege escalation

Active exploitation confirmed. Threat actors are actively scanning for and exploiting this. Assume your server is a target.

Verify If You've Been Exploited

LiteSpeed provides an indicator of compromise. Run this command:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Output explanation:

• No output: You haven't been exploited (or logs were rotated/deleted)
• Output with entries: Someone called the vulnerable function. Check the IP addresses.

If you get output, examine each line:

# Extract and analyze IPs
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort | uniq

For each IP found:

1. Check if it's your IP or a legitimate user's IP
2. Check your access logs for the same IP around the same time
3. If it's not legitimate, block it immediately (firewall or CSF/UFW)
4. Assume compromise and audit that cPanel account

Patching: Two Options

Option 1: Upgrade LiteSpeed Plugin (Recommended)

The fix is bundled: cPanel plugin v2.4.7 + WHM plugin v5.3.1.0.

Via WHM UI:

1. Log into WHM
2. Navigate to Plugins → LiteSpeed Web Server
3. Click Update (if available)
4. Accept and apply

Via command line (automated):

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --upgrade

Verify the upgrade:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --list
# Should show version 2.4.7 or higher

Option 2: Uninstall Plugin (If Patching is Delayed)

If you can't patch immediately (e.g., waiting for a maintenance window), uninstall the plugin:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Implications:

• You lose LiteSpeed functionality via cPanel UI
• cPanel can't manage LiteSpeed settings through the plugin
• You still have LiteSpeed web server running (just not manageable via cPanel)

If you uninstall: Patch within 24–48 hours. Don't leave the plugin uninstalled long-term; you lose visibility and management capabilities.

Post-Patch Actions

1. Check for Active Exploitation

# Check access logs for redisAble calls in the past 24–48 hours
grep "redisAble" /var/log/apache2/access_log* | head -20

# Check cPanel user logs for suspicious activity
tail -f /var/cpanel/logs/access_log | grep -i "root\|exec\|system"

# List recent cPanel account activity
for user in $(cat /etc/passwd | grep /home | cut -d: -f1); do
  echo "=== $user ==="
  grep "$user" /var/cpanel/logs/access_log | tail -5
done

2. Audit All cPanel Accounts

If you found exploitation attempts, audit every cPanel account:

# List all cPanel users
grep /home /etc/passwd | cut -d: -f1

# For each user, check:
# 1. Last login
# 2. SSH keys
# 3. Cronjobs
# 4. Modified files

for user in $(grep /home /etc/passwd | cut -d: -f1); do
  echo "=== Auditing $user ==="
  # Last login
  lastlog -u $user
  # SSH keys (if applicable)
  [ -d /home/$user/.ssh ] && ls -la /home/$user/.ssh
  # Cronjobs
  crontab -u $user -l 2>/dev/null | head -5
done

3. Change Passwords and Rotate Keys

If exploitation was confirmed:

# Force password change for all cPanel users
for user in $(grep /home /etc/passwd | cut -d: -f1); do
  passwd -e $user  # Forces password change on next login
done

# Revoke old SSH keys (or rotate them)
find /home -name ".ssh" -type d | while read dir; do
  mv $dir/authorized_keys $dir/authorized_keys.old
done

4. Scan for Backdoors

After patching, assume you've been compromised. Scan for backdoors:

# Check for new user accounts created recently
awk -F: '$3 >= 1000 {print $1, $3, $6}' /etc/passwd | tail -20

# Check for modified system files
debsums -c 2>/dev/null | grep -E "cPanel|LiteSpeed" | head -20

# Look for suspicious scripts in common locations
find /tmp /var/tmp /home -name "*.sh" -o -name "*.pl" -o -name "*.py" 2>/dev/null | xargs ls -la | head -20

5. Review LiteSpeed and cPanel Configurations

# Check if any unusual virtualhost configs were added
ls -la /usr/local/lsws/conf/ | grep -E "recent|new|tmp"

# Check cPanel addon domain configs for backdoors
find /etc/userdomains -type f -exec grep -l "root\|exec\|system" {} \; 2>/dev/null

Hardening After Patch

RBAC Lockdown

Restrict which cPanel users can access LiteSpeed settings:

# Via WHM, navigate to: Security Center → Manage cPanel Users
# Remove "Manage LiteSpeed Web Server" permission from non-admin accounts

Firewall Rules (Additional Protection)

Block access to cPanel JSON API from untrusted sources:

# UFW example (if using UFW)
ufw allow from 127.0.0.1 to any port 2083  # cPanel WHM port
ufw deny from any to any port 2083

# Or CSF (ConfigServer Firewall)
csf -d 1.2.3.4  # Deny specific IP
csf -a 192.168.1.0/24  # Allow trusted range

Monitor for Future Exploitation Attempts

# Create a monitoring script
cat > /usr/local/bin/monitor_litespeed.sh << 'EOF'
#!/bin/bash
while true; do
  grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null | while read line; do
    echo "[ALERT] Potential exploitation attempt: $line"
    # Send alert (email, Slack, monitoring system)
  done
  sleep 300  # Check every 5 minutes
done
EOF

chmod +x /usr/local/bin/monitor_litespeed.sh

# Run as a background service or cron job

Context: Why LiteSpeed Had Other Vulns

LiteSpeed noted that after discovering this flaw, they reviewed both the cPanel and WHM plugins and found additional potential attack vectors. The bundled patch (v2.4.7 cPanel + v5.3.1.0 WHM) includes patches for those as well.

This suggests the security review found privilege escalation patterns in multiple places. If you're running LiteSpeed on cPanel, assume there are other vectors they're working on. Stay updated on all security patches.

Upgrade Path

If you're running an older version of LiteSpeed:

1. Upgrade to the latest stable cPanel plugin (currently 2.4.7+)
2. Upgrade LiteSpeed Web Server itself (if you haven't recently)
3. Run full cPanel/WHM updates (security patches for cPanel itself)

Bundled update command:

/usr/local/lsws/admin/misc/lscmctl --upgrade-all

Context: Related cPanel Vulnerabilities

This exploit comes weeks after CVE-2026-41940 (another critical cPanel flaw, CVSS 9.8) was actively exploited to deploy Mirai botnets and ransomware (Sorry variant). If you haven't patched that yet, do it now. Threat actors are actively weaponizing cPanel vulnerabilities.

Pattern: Multiple critical vulns in cPanel ecosystem in Q2 2026. Expect more. Keep automated patching enabled.

References

• LiteSpeed Security Advisory: CVE-2026-48172
• CVE.org: CVE-2026-48172
• LiteSpeed Blog: Security Update for LiteSpeed cPanel Plugin
• cPanel Security Patches
• Related: CVE-2026-41940 (critical cPanel flaw)