How can I protect my system from this vulnerability?

Update the LiteSpeed cPanel Plugin to version 2.4.5 or higher immediately to mitigate the risk associated with CVE-2026-48172.

Has this vulnerability been exploited in the wild?

Yes, there have been active exploitations of CVE-2026-48172, making it imperative to apply the necessary updates promptly.

Critical Vulnerability in LiteSpeed cPanel Plugin Exploited for Root Access

Q: What is CVE-2026-48172?

CVE-2026-48172 is a critical vulnerability in LiteSpeed's User-End cPanel Plugin versions 2.3 through 2.4.4, allowing attackers to execute arbitrary scripts with root privileges.

A severe security flaw in LiteSpeed's cPanel Plugin allows attackers to gain root access. Immediate updates are essential to protect your systems.

Published: May 23, 2026

Share this on:

Executive Summary

In May 2026, a critical vulnerability (CVE-2026-48172) was discovered in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4, allowing attackers to execute arbitrary scripts with root privileges. This flaw, stemming from incorrect privilege assignment in the 'lsws.redisAble' function, has been actively exploited in the wild, posing significant risks to affected systems. LiteSpeed has addressed this issue in version 2.4.5 and recommends immediate updates to mitigate potential threats. (thehackernews.com)

The exploitation of this vulnerability underscores the persistent threat posed by privilege escalation attacks, emphasizing the need for organizations to maintain rigorous patch management practices. As cyber threats continue to evolve, staying vigilant and promptly addressing known vulnerabilities is crucial to safeguarding system integrity and data security.

Why This Matters Now

The active exploitation of CVE-2026-48172 highlights the urgency for organizations using LiteSpeed's cPanel Plugin to update to version 2.4.5 immediately. Failure to do so leaves systems vulnerable to unauthorized root access, potentially leading to severe data breaches and operational disruptions.

Attack Path Analysis

An attacker exploited a privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin to gain root access, potentially leading to lateral movement within the network, establishing command and control channels, exfiltrating sensitive data, and causing significant impact.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An attacker exploited the LiteSpeed User-End cPanel Plugin vulnerability (CVE-2026-48172) to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-48172
CVSS 10
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026.
Affected Products:
LiteSpeed Technologies LiteSpeed User-End cPanel Plugin – < 2.4.5
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-48172 https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log

MITRE ATT&CK® Techniques

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Execution

T1059

Command and Scripting Interpreter

Initial Access

T1078

Valid Accounts

Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Execution

T1203

Exploitation for Client Execution

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of CVE-2026-48172 indicates a failure to apply necessary security patches, exposing systems to known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in vulnerability management and access control.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, failing to address and mitigate known software vulnerabilities.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The attack exploited improper privilege assignments, indicating weaknesses in identity and access management controls.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The exploitation of a known vulnerability reflects insufficient implementation of cybersecurity risk management measures as required by the directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Critical privilege escalation vulnerability in LiteSpeed cPanel plugin enables root-level script execution, compromising web hosting infrastructure and requiring immediate patching across IT environments.

Internet

CVE-2026-48172 exploitation allows arbitrary script execution with elevated permissions, threatening web hosting platforms and internet service providers using cPanel management systems.

Computer Software/Engineering

Maximum severity vulnerability in cPanel plugin creates privilege escalation risks for software development environments, potentially compromising source code and deployment pipelines.

Financial Services

Root-level privilege escalation through compromised cPanel accounts poses severe compliance risks under PCI DSS and data protection regulations for financial institutions.

Sources

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Roothttps://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
Verified

NVD - CVE-2026-48172https://nvd.nist.gov/vuln/detail/CVE-2026-48172

Verified

LiteSpeed cPanel Pluginhttps://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel

Verified

LiteSpeed Release Loghttps://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log

Verified

Frequently Asked Questions

CVE-2026-48172 is a critical vulnerability in LiteSpeed's User-End cPanel Plugin versions 2.3 through 2.4.4, allowing attackers to execute arbitrary scripts with root privileges.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF may not prevent the initial exploitation, it would likely limit the attacker's ability to leverage the compromised access to further infiltrate the network.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to exploit elevated privileges to access other critical systems.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict controls on internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate sensitive data.

Impact (Mitigations)

Aviatrix Zero Trust CNSF would likely limit the overall impact by containing the attacker's activities to a constrained segment of the network.

Impact at a Glance

Affected Business Functions

Web Hosting Services
Server Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of server configurations and hosted website data.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Deploy East-West Traffic Security controls to monitor and control internal traffic flows.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability in LiteSpeed cPanel Plugin Exploited for Root Access

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-48172

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploitation for Privilege Escalation

Command and Scripting Interpreter

Valid Accounts

Abuse Elevation Control Mechanism

Exploitation for Client Execution

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Internet

Computer Software/Engineering

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads