VULNERABILITY OVERVIEW
An incorrect privilege assignment (CWE-266) in the lsws.redisAble JSON-API function allows any authenticated cPanel user — including attackers with compromised shared-hosting accounts — to execute arbitrary scripts as root with a single malformed API call requiring no race condition or authentication gap. LiteSpeed confirmed active in-the-wild exploitation with opportunistic automated scanning targeting web hosting environments broadly. cPanel forced a fleet-wide emergency uninstall five hours before its scheduled patch window. Fixed in version 2.4.5 (recommend 2.4.7 bundled with WHM Plugin 5.3.1.0).
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
LOW
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4 (WHM plugin not affected)CITATIONS
- → https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
- → https://www.rescana.com/post/critical-active-exploitation-alert-cve-2026-48172-in-litespeed-cpanel-plugin-enables-root-privilege-escalation
- → https://threat-modeling.com/vulnerability-intelligence-report-may-23-2026/