CVE-2026-48172
Published: 21 May 2026
Summary
CVE-2026-48172 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Litespeedtech Litespeed Cpanel Plugin. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-6 (Audit Record Review, Analysis, and Reporting) and SI-2 (Flaw Remediation).
Deeper analysis
The LiteSpeed User-End cPanel Plugin before version 2.4.5 contains a privilege escalation vulnerability, possibly to root, that stems from incorrect handling of Redis enable and disable features and is tracked under CWE-266. The flaw received a maximum CVSS 4.0 score of 10.0 reflecting network-accessible attack conditions with no required authentication or user interaction.
Unauthenticated remote attackers can exploit the issue to obtain elevated privileges on affected systems. Public records confirm the vulnerability was exploited in the wild during May 2026, enabling adversaries to execute arbitrary actions that could fully compromise the host.
Vendor advisories direct administrators to upgrade to version 2.4.7 or later. Detection of potential compromise is accomplished by searching cPanel logs for the string “cpanel_jsonapi_func=redisAble,” followed by review of any matching IP addresses and associated system activity; the flaw is also listed in the CISA Known Exploited Vulnerabilities catalog. The associated EPSS score has remained flat at 0.0796 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31204
Vulnerability details
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get…
more
no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
- CWE(s)
- KEV Date Added
- 26 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation vulnerability (CWE-266) in cPanel plugin enables exploitation for privilege escalation to root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches to eliminate the vulnerable Redis feature handling code in the cPanel plugin.
Mandates review and analysis of cPanel logs specifically for the indicator 'cpanel_jsonapi_func=redisAble' to identify exploitation attempts.
Enforces least-privilege assignment so that even successful exploitation of the CWE-266 flaw yields minimal additional rights beyond the plugin's intended scope.