Ethical Hacking News
A critical vulnerability has been discovered in a popular cPanel plugin, allowing attackers to execute arbitrary scripts with elevated permissions. Users are advised to upgrade or patch their systems immediately to prevent exploitation.
The LiteSpeed User-End cPanel Plugin has a maximum-severity security vulnerability (CVE-2026-48172) that allows attackers to run arbitrary scripts with elevated permissions. The impact of this vulnerability is far-reaching, affecting all versions of the plugin between 2.3 and 2.4.4. Users are advised to upgrade to version 2.4.7 or remove the user-end plugin by running a specific command. If immediate patching is not an option, users can take measures to identify potential attack vectors.
The cybersecurity landscape is constantly evolving, with new vulnerabilities and threats emerging on a daily basis. In recent times, a maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.
The impact of this vulnerability is far-reaching, affecting all versions of the plugin between 2.3 and 2.4.4. However, it's worth noting that LiteSpeed's WHM plugin is not impacted by this issue. The development of this vulnerability comes weeks after a critical cPanel vulnerability (CVE-2026-41940, CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.
The LiteSpeed User-End cPanel Plugin is a commonly used software solution for managing and controlling web server configurations. This plugin relies on the lsws.redisAble function, which allows users to execute arbitrary scripts with elevated permissions if not assigned correctly. Attackers could exploit this flaw to gain control over the system by running scripts as root.
To patch this vulnerability, LiteSpeed has released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0. Users are advised to upgrade to these versions or remove the user-end plugin by running a specific command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.
Furthermore, if immediate patching is not an option, users can take measures to identify potential attack vectors. The vulnerability has been reported as being actively exploited in the wild. To determine if your server is affected, run a grep command with the following parameters: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null.
If the command produces any output, users are advised to examine the IP addresses listed in the results and determine if they are legitimate. If not, block these IP addresses to prevent potential attacks. It is also recommended that users review their system configurations and ensure that all software is up-to-date to minimize the risk of exploitation.
In conclusion, the LiteSpeed cPanel Plugin CVE-2026-48172 vulnerability highlights the importance of regular security updates and patches in preventing cyber threats. The severity of this vulnerability underscores the need for vigilance among system administrators and cybersecurity professionals.
Related Information:
https://www.ethicalhackingnews.com/articles/LiteSpeed-cPanel-Plugin-CVE-2026-48172-A-Critical-Vulnerability-Under-Active-Exploitation-ehn.shtml
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
https://cybersecuritynews.com/litespeed-cpanel-plugin-0-day-exploited/
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
https://www.cvedetails.com/cve/CVE-2026-48172/
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://www.cvedetails.com/cve/CVE-2026-41940/
Published: Sat May 23 03:26:06 2026 by llama3.2 3B Q4_K_M
