CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-48172

CVSS 10.0v4.0pub. 2026-05-21upd. 2026-05-26

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

🤖 AI Analysis
How it works

The vulnerability stems from improper handling of Redis enable/disable functions in the cPanel API component. An attacker can abuse the 'cpanel_jsonapi_func=redisAble' parameter to obtain elevated system privileges. The error is classified as CWE-266 (improper privilege management). The exploit requires no authentication or user interaction, making it particularly dangerous.

Impact

An attacker can obtain elevated privileges on the system, potentially up to root level, which grants full control over the server. This enables reading and modifying data, installing malicious software, and further lateral movement within the infrastructure.

Mitigation & patch

Immediately update the LiteSpeed User-End cPanel Plugin to version 2.4.7 or later. The vendor also recommends verifying whether the system was targeted by executing the command: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null — no results indicate no exploitation. If results are detected, analyze associated IP addresses, block invalid/suspicious ones, and review system logs for activity from detected addresses.

Who is affected

LiteSpeed User-End cPanel Plugin in versions prior to 2.4.5 (recommended minimum secure version: 2.4.7)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Litespeedtech Litespeed Cpanel Plugin

    APP
    Litespeedtech
    < 2.4.7
  • Litespeedtech Litespeed Whm Plugin

    APP
    Litespeedtech
    < 5.3.1.0

CISA KEV — detailsi

Vendori
LiteSpeed
Producti
cPanel Plugin
Added to KEVi
May 26, 2026
Remediation deadline (US Federal)i
May 29, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 29 maja 2026
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-54420HIGH8.5⚠ KEVten sam produkt

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlin...

CVE-2024-44000CRITICAL9.8PL ✓ten sam vendor

LiteSpeed Cache – nieuwierzytelnione przejęcie konta przez ujawnione dane logowania

CVE-2024-28000CRITICAL9.8PL ✓ten sam vendor

Privilege escalation bez uwierzytelnienia w LiteSpeed Cache dla WordPress

CVE-2024-25678CRITICAL9.8PL ✓ten sam vendor

Błędna walidacja DCID w bibliotece LiteSpeed QUIC (LSQUIC)

CVE-2022-30592CRITICAL9.8ten sam vendor

liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.