External risk intelligence

LiteSpeed cPanel plugin lets attackers take over your server.

CVE advisoryKnown Exploit

CVE-2026-48172

LiteSpeed's cPanel plugin has a critical flaw allowing any user with an account to take over your server, and it's already being exploited.

4Halo Surface Signal

Privilege Escalation

Litespeedtech Litespeed Cpanel Plugin

before 2.4.7before 5.3.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-48172

The vulnerability exists in a cPanel plugin. cPanel is a web-based hosting control panel specifically designed to be accessed via the internet for remote management of hosting environments. Because the management interface is commonly exposed to the internet to allow users to manage their accounts and server settings, this surface is likely to be reachable by an attacker in typical deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the LiteSpeed User-End cPanel Plugin allows any user with an account to potentially gain elevated privileges, up to and including root access. This is a critical issue because it can be exploited remotely to take full control of a server.

  • Exploited in the wild
  • Can lead to full server control
  • Affects cPanel users

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by leveraging improper handling of Redis features within the LiteSpeed User-End cPanel Plugin. This could allow any authenticated cPanel user to escalate their privileges, potentially gaining root access on the server to execute arbitrary commands. The vulnerability was actively exploited in the wild in May 2026.

  • Exploitable by authenticated cPanel users.
  • Targets Redis enable/disable functionality.
  • Assumes existing cPanel account access.

Live Threat

Current exploitation, exposure, and threat context

Attackers are actively exploiting this vulnerability, as indicated by its presence in the Known Exploited Vulnerabilities catalog. The nature of the vulnerability, allowing privilege escalation to root, makes it highly desirable for attackers seeking to gain complete control of compromised systems.

  • Actively exploited in the wild.
  • Listed on KEV.
  • Privilege escalation to root.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams must prioritize upgrading the LiteSpeed cPanel plugin to version 2.4.7 or later immediately due to active exploitation and critical privilege escalation risks. If an immediate upgrade is not feasible, isolate affected services to prevent further compromise while preparing to patch.

  • Upgrade LiteSpeed cPanel plugin to 2.4.7+.
  • Monitor logs for suspicious commands.
  • Isolate vulnerable servers if patching is delayed.

Frequently asked questions

What is the LiteSpeed cPanel Plugin and what is it used for?

The LiteSpeed User-End cPanel Plugin is a component that integrates LiteSpeed Web Server functionality with the cPanel hosting control panel. It allows users to manage aspects of their web hosting environment through the cPanel interface, often related to server performance and configuration.

How does CVE-2026-48172 allow privilege escalation?

CVE-2026-48172 is a weakness classified as CWE-266, which relates to improper function or role setting. In this case, the plugin mishandles Redis enable/disable features, allowing any cPanel user to escalate their privileges, potentially to root access.

What are the conditions needed to trigger the vulnerability in CVE-2026-48172?

An attacker needs to be an authenticated cPanel user to exploit this vulnerability. The vulnerability is triggered by leveraging the improper handling of Redis features within the plugin. Accessing the plugin via the user-end cPanel interface is the likely method of exploitation.

Who should be concerned about this CVE, considering its internet-facing nature?

Organizations that use cPanel for hosting management and have the LiteSpeed cPanel Plugin installed should be concerned. Since cPanel is typically internet-facing for remote management, this vulnerability has a 'Likely' exposure, meaning attackers could potentially reach it from the internet.

What is the first step to respond to this critical threat?

The immediate first step is to upgrade the LiteSpeed cPanel Plugin to version 2.4.7 or a later recommended version. This addresses the underlying issue that allows for privilege escalation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified