Cyber Resilience

CVE-2026-48172

CriticalCISA KEVActive Exploitation

Published: 21 May 2026

Published
21 May 2026
Modified
26 May 2026
KEV Added
26 May 2026
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1891 96.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-48172 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Litespeedtech Litespeed Cpanel Plugin. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-6 (Audit Record Review, Analysis, and Reporting) and SI-2 (Flaw Remediation).

Deeper analysis

The LiteSpeed User-End cPanel Plugin before version 2.4.5 contains a privilege escalation vulnerability, possibly to root, that stems from incorrect handling of Redis enable and disable features and is tracked under CWE-266. The flaw received a maximum CVSS 4.0 score of 10.0 reflecting network-accessible attack conditions with no required authentication or user interaction.

Unauthenticated remote attackers can exploit the issue to obtain elevated privileges on affected systems. Public records confirm the vulnerability was exploited in the wild during May 2026, enabling adversaries to execute arbitrary actions that could fully compromise the host.

Vendor advisories direct administrators to upgrade to version 2.4.7 or later. Detection of potential compromise is accomplished by searching cPanel logs for the string “cpanel_jsonapi_func=redisAble,” followed by review of any matching IP addresses and associated system activity; the flaw is also listed in the CISA Known Exploited Vulnerabilities catalog. The associated EPSS score has remained flat at 0.0796 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get…

more

no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

CWE(s)
KEV Date Added
26 May 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation vulnerability (CWE-266) in cPanel plugin enables exploitation for privilege escalation to root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-33179Shared CWE-266
CVE-2024-49644Shared CWE-266
CVE-2024-56280Shared CWE-266
CVE-2026-42758Shared CWE-266
CVE-2026-32530Shared CWE-266
CVE-2025-22736Shared CWE-266
CVE-2026-48879Shared CWE-266
CVE-2026-25414Shared CWE-266
CVE-2025-62645Shared CWE-266
CVE-2026-3121Shared CWE-266

Affected Assets

litespeedtech
litespeed cpanel plugin
≤ 2.4.7
litespeedtech
litespeed whm plugin
≤ 5.3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches to eliminate the vulnerable Redis feature handling code in the cPanel plugin.

detect

Mandates review and analysis of cPanel logs specifically for the indicator 'cpanel_jsonapi_func=redisAble' to identify exploitation attempts.

prevent

Enforces least-privilege assignment so that even successful exploitation of the CWE-266 flaw yields minimal additional rights beyond the plugin's intended scope.

References