CVE-2026-48172: CWE-266 Incorrect Privilege Assignment in LiteSpeed Technologies cPanel Plugin
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-48172) involves incorrect privilege assignment (CWE-266) in the LiteSpeed Technologies cPanel Plugin prior to version 2.4.5. It allows an attacker to escalate privileges, possibly to root, by exploiting mishandling of Redis enable/disable functionality. Detection involves searching cPanel log files for specific API function calls indicative of exploitation attempts. The vendor recommends upgrading to at least version 2.4.7 to address the issue. The CVSS 4.0 base score is 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, availability, scope, and security requirements.
Potential Impact
Successful exploitation can lead to privilege escalation, potentially granting root-level access on affected systems. This could allow attackers full control over the compromised server, leading to complete system compromise. The vulnerability affects LiteSpeed cPanel Plugin versions before 2.4.5. There is no explicit confirmation of known exploits in the wild, but the description mentions exploitation in May 2026. The critical CVSS score reflects the severity of impact.
Mitigation Recommendations
The vendor recommends upgrading the LiteSpeed cPanel Plugin to version 2.4.7 or later. Detection can be performed by running the provided grep command to identify potential exploitation traces in cPanel log files. If suspicious IP addresses are found, they should be verified and blocked if unauthorized. Since no official patch or remediation level is explicitly stated, users should prioritize upgrading to the recommended minimum version. Patch status is not yet confirmed in the vendor advisory; check the vendor's official channels for current remediation guidance.
CVE-2026-48172: CWE-266 Incorrect Privilege Assignment in LiteSpeed Technologies cPanel Plugin
Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
CVSS v4.0
Score 10.0critical
Affected software
pkg:github/litespeedtech/cpanel-pluginRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-48172) involves incorrect privilege assignment (CWE-266) in the LiteSpeed Technologies cPanel Plugin prior to version 2.4.5. It allows an attacker to escalate privileges, possibly to root, by exploiting mishandling of Redis enable/disable functionality. Detection involves searching cPanel log files for specific API function calls indicative of exploitation attempts. The vendor recommends upgrading to at least version 2.4.7 to address the issue. The CVSS 4.0 base score is 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, availability, scope, and security requirements.
Potential Impact
Successful exploitation can lead to privilege escalation, potentially granting root-level access on affected systems. This could allow attackers full control over the compromised server, leading to complete system compromise. The vulnerability affects LiteSpeed cPanel Plugin versions before 2.4.5. There is no explicit confirmation of known exploits in the wild, but the description mentions exploitation in May 2026. The critical CVSS score reflects the severity of impact.
Mitigation Recommendations
The vendor recommends upgrading the LiteSpeed cPanel Plugin to version 2.4.7 or later. Detection can be performed by running the provided grep command to identify potential exploitation traces in cPanel log files. If suspicious IP addresses are found, they should be verified and blocked if unauthorized. Since no official patch or remediation level is explicitly stated, users should prioritize upgrading to the recommended minimum version. Patch status is not yet confirmed in the vendor advisory; check the vendor's official channels for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-21T00:38:03.845Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0eee5b7b8e1438d0bb6cd3
Added to database: 05/21/2026, 11:36:59 UTC
Last enriched: 05/28/2026, 20:18:49 UTC
Last updated: 07/09/2026, 19:47:32 UTC
Views: 453
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.