CVE-2026-48172
LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-29.
6 articles across 6 outlets · first covered May 23, 2026 · latest May 28, 2026
Tracked incidents
Associated threat actors
Coverage timeline
-
CISA adds LiteSpeed cPanel flaw CVE-2026-48172 to KEV catalogsecurityaffairs.com · May 28, 2026
-
Serpens Hackers Exploit CVE-2026-48172, Roll Out New RAT Variantssecurityonline.info · May 27, 2026
-
CISA urges patch of CVE-2026-48172 in cPanel LiteSpeed pluginwww.securityweek.com · May 27, 2026
-
CISA flags LiteSpeed cPanel Plugin bug CVE-2026-48172 in KEVwww.cisa.gov · May 26, 2026
-
CISA Adds Critical LiteSpeed cPanel Plugin Flaw to KEV Cataloguecisa.gov · May 26, 2026
-
LiteSpeed cPanel Plugin Flaw Lets Attackers Gain Root via CVE-2026-48172thehackernews.com · May 23, 2026