CVE-2026-48172
Analyzed Analyzed - Analysis Complete
Privilege Escalation in LiteSpeed User-End cPanel Plugin

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: MITRE

Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-48172
EUVD
EUVD-2026-31204
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
litespeedtech litespeed_cpanel_plugin to 2.4.7 (exc)
litespeedtech litespeed_whm_plugin to 5.3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the LiteSpeed User-End cPanel Plugin versions before 2.4.5. It allows privilege escalation, potentially to root level, due to mishandling of Redis enable/disable features. This vulnerability has been exploited in the wild as of May 2026.

Detection involves running a command to search for the string "cpanel_jsonapi_func=redisAble" in specific cPanel log directories. If output is found, it indicates possible exploitation, and further investigation of IP addresses and system logs is recommended.

Impact Analysis

This vulnerability can lead to privilege escalation, possibly granting an attacker root-level access to the affected system. Such elevated privileges can allow unauthorized control over the server, potentially leading to data breaches, system compromise, or further exploitation.

If exploited, attackers may manipulate system configurations, access sensitive data, or disrupt services running on the server.

Detection Guidance

This vulnerability can be detected by running a command line search for the string "cpanel_jsonapi_func=redisAble" in the cPanel log directories.

  • Use the following Bash command: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If the command returns no output, it indicates that the system has not been exploited via this vulnerability. If there is output, examine the IP addresses found, verify their validity, and consider blocking any suspicious IPs. Additionally, review system logs for activities associated with those IP addresses to assess potential damage.

Mitigation Strategies

Immediate mitigation steps include examining any detected suspicious IP addresses from the detection command and blocking those that are not valid or authorized.

Additionally, review system logs for any unauthorized activity linked to those IP addresses to understand the extent of any compromise.

Since the vulnerability affects LiteSpeed User-End cPanel Plugin versions before 2.4.5, upgrading the plugin to version 2.4.5 or later is recommended to prevent exploitation.

Compliance Impact

The vulnerability in LiteSpeed User-End cPanel Plugin before version 2.4.5 allows privilege escalation, potentially to root level, which can lead to unauthorized access and control over the affected system.

Such unauthorized privilege escalation can compromise the confidentiality, integrity, and availability of sensitive data, which are core requirements in compliance standards like GDPR and HIPAA.

If exploited, this vulnerability could result in data breaches or unauthorized data manipulation, thereby violating regulatory requirements for protecting personal and health information.

Therefore, organizations using affected versions of the plugin may face increased risk of non-compliance with these standards unless the vulnerability is mitigated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart