[CDP-development] TLP:GREEN (Vulnerability Alert Notification) : CVE-2026-48172: LiteSpeed User-End cPanel Plugin Incorrect Privilege Assignment

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Tue May 26 12:49:02 PDT 2026 

Good afternoon,

The State of Oregon SOC Services Team is reporting on the vulnerability CVE-2026-48172 affecting LiteSpeed User-End cPanel Plugin (lsws.redisAble function) endpoint management server configuration and agent updates. Due to active exploitation in the wild confirmed via the CISA KEV catalog we are providing this in-depth operational intelligence to assist with immediate remediation and response tracking.

History: The vulnerability was identified under active exploitation in the wild in May 2026 and publicly coordinated on May 21, 2026. The CVSS v4.x base score is 10.0 (CRITICAL) as assigned by MITRE.
Affected Versions

  *   LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4.

Fixed Versions

  *   LiteSpeed User-End cPanel Plugin version 2.4.5 (Initial fix).
  *   LiteSpeed User-End cPanel Plugin version 2.4.7 (Bundled with LiteSpeed WHM Plugin v5.3.1.0).

LiteSpeed Technologies provides high-performance, high-scalability web servers and software. The User-End cPanel Plugin is designed to let cPanel users manage individual web performance settings, such as caching features, from within their personal cPanel dashboards.

Vendor Advisory: Security Update for LiteSpeed cPanel Plugin<https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/>

Intelligence: On May 26, 2026, CISA has confirmed the vulnerabilities as being exploited in the wild and has added it to the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Not publicly disclosed
Zero Day: Yes

Workarounds: Completely uninstall the user-end plugin by executing the following administrative command: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.
How it Works: The flaw resides within the `redisAble` function inside the LiteSpeed User-End cPanel Plugin backend interface (`lsws.redisAble`). When an authenticated tenant requests to enable or disable Redis caching via the cPanel JSON API endpoint, the application handles the toggle via elevated system privileges to modify system services/unit files. Because of Incorrect Privilege Assignment (CWE-266), the function fails to validate the authorization level or restrict the context of parameters supplied by the standard user. An attacker issues a crafted HTTP API request specifying `cpanel_jsonapi_func=redisAble` along with injected parameters containing arbitrary command strings, bypassing application-level sandbox controls. The backend processes the input within a root security context, executing the payload instantly.
Post-Exploit Impact:

  *   Full system compromise and execution of arbitrary code with root privileges (CWE-266).

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Log Artifact String
cpanel_jsonapi_func=redisAble
Presence of this function invocation within cPanel administrative access or transaction logs indicates an attempt or execution of the exploit chain.
LiteSpeed Technologies Official Advisory
Log Directory Search Command
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
Bash command sequence optimized to sweep cPanel logging architectures for known exploitation parameters.
LiteSpeed Technologies Official Advisory
Tenable Plugins:

As of May 26, 2026, Tenable has not provided any plugins for this vulnerability.

Recommended Actions:

Date Added to KEV Catalog: May 21, 2026
Due Date for Remediation: June 11, 2026

  *   Upgrade to LiteSpeed WHM Plugin version 5.3.1.0 or higher immediately, which automatically updates the underlying User-End cPanel Plugin to v2.4.7.
  *   If patching windows cannot be scheduled immediately, execute the workaround script to completely purge the User-End plugin interface from the hosting server fleet.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.
EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCED0A.EB2EA1F0] [cid:image003.png at 01DCED0A.EB2EA1F0]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260526/06c77ddb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 32625 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260526/06c77ddb/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260526/06c77ddb/attachment-0003.png>

More information about the CDP-development mailing list