LiteSpeed Plugin Flaw Exploited for Root Access

LiteSpeed Plugin Flaw Exploited for Root Access

Posted on By CWS

A critical security vulnerability has been discovered in the LiteSpeed User-End cPanel Plugin, allowing attackers to execute scripts with root privileges. This flaw, identified as CVE-2026-48172, has a CVSS score of 10.0, highlighting its severe risk.

Details of the LiteSpeed Vulnerability

The vulnerability stems from an incorrect privilege assignment within the plugin, which could be exploited by any cPanel user, whether malicious or compromised, to execute arbitrary scripts with elevated permissions. The specific function at risk is the lsws.redisAble function, as noted by LiteSpeed.

The affected versions of the plugin span from 2.3 to 2.4.4, with the issue resolved in version 2.4.5. The LiteSpeed WHM plugin remains unaffected by this flaw. This discovery and report are credited to security researcher David Strydom.

Indicators and Mitigation Steps

LiteSpeed has confirmed active exploitation of this vulnerability but withheld further specifics. They have provided an indicator of compromise, advising users to run a specific command to check for signs of exploitation.

If the command output shows activity, users should scrutinize the IP addresses involved and block any that appear illegitimate. For immediate action, LiteSpeed recommends updating to the latest plugin versions, which contain additional security patches.

Security Updates and Recommendations

Following this vulnerability’s discovery, LiteSpeed conducted a security review of both their cPanel and WHM plugins, leading to further patches. Users should upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which includes cPanel plugin version 2.4.7 or higher, to ensure protection.

In cases where an immediate update is unfeasible, LiteSpeed suggests uninstalling the user-end plugin using a provided command. This advisory comes soon after another significant cPanel vulnerability was found being exploited to deploy botnet and ransomware attacks.

Given the critical nature of these vulnerabilities, prompt updates and vigilance are essential for maintaining server security against potential threats.

The Hacker News Tags:, , , , , , , , , , , , , ,

Related Posts

CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign The Hacker News
Secure Identity Gaps Before 2026 AI Exploits Risk Secure Identity Gaps Before 2026 AI Exploits Risk The Hacker News
Malicious Packages Target ASP.NET and npm Developers Malicious Packages Target ASP.NET and npm Developers The Hacker News
Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems The Hacker News
HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass The Hacker News
Noisy Bear Targets Kazakhstan Energy Sector With BarrelFire Phishing Campaign Noisy Bear Targets Kazakhstan Energy Sector With BarrelFire Phishing Campaign The Hacker News