Contact us
Contact us

News

About

Home Crypto News Exploit lets attackers run root scripts via LiteSpeed cPanel

Exploit lets attackers run root scripts via LiteSpeed cPanel

Author Whitewallet Research
Posted: 23 May 2026, 08:10 CET 2 min read

CVE-2026-48172 in the LiteSpeed cPanel plugin (v2.3–2.4.4) is under active exploitation, allowing arbitrary scripts to run as root via the lsws.redisAble function; patched in v2.4.5.

A critical vulnerability tracked as CVE-2026-48172 and rated CVSS 10.0 is being actively exploited in the wild. The flaw exists in the LiteSpeed user-end cPanel plugin and allows attackers to run arbitrary scripts with root privileges by calling the lsws.redisAble function. Affected plugin versions range from 2.3 through 2.4.4; the issue was addressed in cPanel plugin version 2.4.5 and additional fixes were released in cPanel v2.4.7 bundled with WHM plugin v5.3.1.0.

The vulnerability stems from incorrect privilege assignment in the cPanel plugin that made it possible for any cPanel user, including a compromised account or an attacker, to trigger lsws.redisAble and execute scripts as root. Security researcher David Strydom is credited with discovering and reporting the flaw. LiteSpeed assigned the CVE and gave it a maximum severity score; the company warned the vulnerability is actively exploited but did not release further technical details about attack methods.

Administrators can check for evidence of exploitation by searching cPanel log directories for calls to the vulnerable function. LiteSpeed provided this indicator-of-compromise command for local inspection: grep -rE “cpanel_jsonapi_func=redisAble” /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. If the command produces no output, there are no recorded exploitation entries in those logs; if it returns results, administrators should examine the associated IP addresses and block any that are not legitimate.

Initially, LiteSpeed reported the WHM plugin was not impacted. After a security review of both the cPanel and WHM plugins, the vendor patched additional potential attack vectors and published updated packages. Users are advised to upgrade to WHM Plugin version 5.3.1.0, which includes cPanel plugin v2.4.7 or later, to ensure all fixes are applied. For environments where immediate patching is not possible, removing the user-end plugin is an available mitigation using: /usr/local/lsws/admin/misc/lscmctl cpanelplugin –uninstall.

The disclosure follows a recent active exploit of a separate cPanel vulnerability, CVE-2026-41940, which was used by unknown actors to deploy Mirai botnet variants and a ransomware strain called Sorry. Hosting providers and server administrators should apply the updates and review logs for signs of compromise.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE