CVSS 10.0 Zero-Day: Active Attacks Exploit LiteSpeed cPanel Plugin for Root Server Access

A critical vulnerability in the LiteSpeed User-End cPanel Plugin is currently being actively exploited in the wild, forcing security teams into an urgent patching cycle. Holding a maximum CVSS score of 10.0, the flaw (CVE-2026-48172) allows remote attackers to achieve full privilege escalation—potentially gaining absolute root access over affected systems.

The security breakdown stems from the mishandling of the plugin’s Redis enable and disable features (redisAble). Because active exploitation was spotted in May 2026, auditing your cPanel deployments should be treated as a top priority.

How to Detect If You Have Been Hit

Fortunately, defensive teams can quickly check for signs of compromise. Run the following command in Bash to scan your cPanel logs for malicious activity:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

• No Output: You are in the clear; no exploitation attempts matching this signature have hit your server.
• Active Output: If lines populate your terminal, you have likely been targeted. Immediately inspect the listed IP addresses, verify their legitimacy, and block any unauthorized actors. To gauge the full blast radius, examine your broader system logs to track exactly what those specific IPs did after interacting with the plugin.

The Remedy: Upgrade to Version 2.4.7

LiteSpeed shipped a comprehensive fix on May 21, 2026. To secure your infrastructure, you must upgrade to at least cPanel plugin v2.4.7 (which comes bundled with WHM Plugin v5.3.1.0).

Beyond crushing the core Redis flaw, this defensive release introduces several vital security hardening steps:

• Input Validation: Fixes reflected XSS bugs within the input_text and input_password form helpers.
• Command Execution Safety: Replaces the risky shell-string EXEC_ISSUE_CMD with structured argument passing to prevent injection.
• Access Control: Hardens the adminbin caller-trust validation and ensures QuicCloud IP feed integrity is validated before writing to the knownproxies file.
• Safe Defaults: Fresh installations will now default the cPanel plugin auto-install setting to OFF to reduce the overall attack surface.

Whether you are a CISO protecting an entire enterprise hosting fleet or a junior administrator managing a couple of local boxes, do not wait on this one—patch your servers today.