LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
The vulnerability stems from improper handling of Redis enable/disable functions in the cPanel API component. An attacker can abuse the 'cpanel_jsonapi_func=redisAble' parameter to obtain elevated system privileges. The error is classified as CWE-266 (improper privilege management). The exploit requires no authentication or user interaction, making it particularly dangerous.
An attacker can obtain elevated privileges on the system, potentially up to root level, which grants full control over the server. This enables reading and modifying data, installing malicious software, and further lateral movement within the infrastructure.
Immediately update the LiteSpeed User-End cPanel Plugin to version 2.4.7 or later. The vendor also recommends verifying whether the system was targeted by executing the command: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null — no results indicate no exploitation. If results are detected, analyze associated IP addresses, block invalid/suspicious ones, and review system logs for activity from detected addresses.
LiteSpeed User-End cPanel Plugin in versions prior to 2.4.5 (recommended minimum secure version: 2.4.7)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XLitespeedtech Litespeed Cpanel Plugin
APPLitespeedtech< 2.4.7Litespeedtech Litespeed Whm Plugin
APPLitespeedtech< 5.3.1.0
CISA KEV — detailsi
- Vendori
- LiteSpeed
- Producti
- cPanel Plugin
- Added to KEVi
- May 26, 2026
- Remediation deadline (US Federal)i
- May 29, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
Related vulnerabilities
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlin...
LiteSpeed Cache – nieuwierzytelnione przejęcie konta przez ujawnione dane logowania
Privilege escalation bez uwierzytelnienia w LiteSpeed Cache dla WordPress
Błędna walidacja DCID w bibliotece LiteSpeed QUIC (LSQUIC)
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.