CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed user-end plugin for cPanel, allowing attackers to execute arbitrary scripts with root privileges. The flaw was actively exploited as a zero-day before being patched in version 2.4.5 of the user-end plugin. The vulnerability affects all user-end plugin versions from 2.3 to 2.4.4. LiteSpeed’s WHM plugin is unaffected. cPanel responded by removing the vulnerable plugin from all cPanel versions via a nightly update. CISA has included this vulnerability in its Known Exploited Vulnerabilities catalog and mandated patching or removal by May 29, 2026, under Binding Operational Directive 22-01. The vendor recommends upgrading to WHM Plugin version 5.3.1.0 or higher, which bundles the patched user-end plugin version 2.4.7. If patching is not feasible, complete removal of the plugin is advised.

The vulnerability allows attackers to escalate privileges to root level on affected servers, enabling execution of arbitrary scripts with full administrative control. This poses a severe risk of unauthorized access and potential full compromise of affected systems. The vulnerability was actively exploited in the wild as a zero-day before the patch was released. The impact is critical due to the level of access gained and the active exploitation status prior to remediation.

A patch is available in LiteSpeed user-end plugin version 2.4.5 and WHM Plugin version 5.3.1.0 or higher (which bundles user-end plugin 2.4.7). Users should immediately upgrade to these versions to remediate the vulnerability. If patching is not possible, the vendor and cPanel recommend complete removal of the LiteSpeed user-end plugin. cPanel has also removed the vulnerable plugin from all cPanel versions via a nightly update. CISA mandates patching or removal by May 29, 2026, under BOD 22-01. Users should also review system logs and block any suspicious IPs identified during investigation as per vendor guidance.