Critical LiteSpeed cPanel Plugin Flaw Exploited for Root Access

Critical LiteSpeed cPanel Plugin Flaw Exploited for Root Access

Posted on By CWS

A significant security flaw within the LiteSpeed cPanel plugin has been identified and patched, addressing a critical zero-day vulnerability that has been actively exploited to gain root access on Linux hosting servers. This flaw, known as CVE-2026-48172, affects plugin versions v2.3 up to, but not including, v2.4.5.

Exploitation Details and Impact

The vulnerability lies in the lsws.redisAble function within the user-end cPanel plugin. This flaw enables any user with a valid cPanel account to execute arbitrary scripts with root privileges, posing a severe risk to server security. Malicious users or compromised accounts can exploit this to take full control of affected servers.

LiteSpeed has confirmed that this vulnerability has been exploited in the wild, highlighting its status as a true zero-day threat. The issue impacts all deployments using the vulnerable plugin versions, although the WHM plugin remains unaffected.

Mitigation Steps and Recommendations

To mitigate this risk, LiteSpeed has released an update in cPanel plugin version v2.4.5 and subsequent versions. Administrators are urged to update to the latest plugin releases promptly to secure their systems.

Administrators can verify potential exploit attempts by searching through cPanel logs for specific function calls. If no results are found, it indicates no evidence of exploitation; otherwise, further investigation is required.

For those unable to update immediately, LiteSpeed recommends uninstalling the user-end plugin as a temporary measure. Additionally, upgrading to LiteSpeed WHM Plugin v5.3.1.0 or higher is advised to ensure full protection.

Response and Future Outlook

The initial discovery by security researcher David Strydom prompted a swift response from LiteSpeed and the cPanel/WebPros team. On May 19, 2026, LiteSpeed released updated plugins and conducted a comprehensive security review, resulting in additional hardening measures.

While other vulnerabilities were identified and addressed during this review, there are no known exploitation attempts of these secondary issues. For server administrators, the guidance is clear: assume potential compromise on unpatched systems and prioritize updates.

Stay informed by following us on Google News, LinkedIn, and X for more updates on this and other security-related news.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Malicious Prettier Extension on VSCode Marketplace Delivers Anivia Stealer Malware to Exfiltrate Login Credentials Malicious Prettier Extension on VSCode Marketplace Delivers Anivia Stealer Malware to Exfiltrate Login Credentials Cyber Security News
Empire 6.3.0 Launches With New Features for Red Teams and Penetration Testers Empire 6.3.0 Launches With New Features for Red Teams and Penetration Testers Cyber Security News
How to Implement Zero Trust Architecture in Enterprise Networks How to Implement Zero Trust Architecture in Enterprise Networks Cyber Security News
New Caminho Malware Loader Uses LSB Steganography and to Hide .NET Payloads Within Image Files New Caminho Malware Loader Uses LSB Steganography and to Hide .NET Payloads Within Image Files Cyber Security News
CISA Adds Digiever Authorization Vulnerability to KEV List Following Active Exploitation CISA Adds Digiever Authorization Vulnerability to KEV List Following Active Exploitation Cyber Security News
Threat Actors Leverage Google Apps Script To Host Phishing Websites Threat Actors Leverage Google Apps Script To Host Phishing Websites Cyber Security News