Critical Alert: LiteSpeed cPanel Plugin (CVE-2026-48172) Root RCE in the Wild
Just saw this hit the wires and wanted to give everyone a heads-up, especially those managing shared hosting environments. We have a maximum-severity vulnerability (CVSS 10.0) in the LiteSpeed User-End cPanel plugin, tracked as CVE-2026-48172.
This is currently under active exploitation. The flaw stems from an incorrect privilege assignment that allows any cPanel user to run arbitrary scripts with root permissions. If you have a single compromised account on a server, the attacker can trivially escalate to root and potentially own the box.
If you are running LiteSpeed with cPanel, I strongly suggest checking your plugin versions immediately. You can verify the installation status on your server using:
cpapi2 --user=YOUR_ROOT_USER ModuleInfo getinfo_display module=LiteSpeed
Alternatively, grep for the package in your installed list:
rpm -qa | grep -i litespeed
The remediation here is critical—update the plugin via WHM or your package manager immediately. If you can't patch right now, consider disabling the plugin temporarily, though that may impact user functionality.
Given the ease of exploitation (requires only a standard cPanel user), how is everyone handling incident response on shared servers? Are you auditing existing user logs for signs of root escalation, or just assuming breach and re-imaging?
This is exactly why we restrict third-party plugins in our SOC baselines, but I know a lot of MSPs rely on LiteSpeed for performance. For detection, you should pivot your SIEM to look for commands executed by cPanel users (usually uid > 500) that result in root ownership changes or spawn shells with UID 0.
# Check for suspicious root-owned files in user homes
find /home/*/public_html -user root -type f -perm 4000
nightmare for shared hosting. If one client gets hit by a generic WordPress brute force, the attacker pivots to root instantly. I'm pushing updates via Ansible across our fleet right now. Make sure you check /usr/local/litespeed/conf/httpd_config.conf for any unexpected includes if you suspect you've already been compromised.
Thanks for the post. We saw some weird nobody user processes spawning bash yesterday on a few boxes—this explains it. For anyone needing a quick mitigation before the patch deploys fully, you can use CageFS to lock down users if you have CloudLinux installed. It won't fix the plugin bug, but it contains the blast radius significantly.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access