LiteSpeed cPanel Plugin CVE-2026-48172 actively exploited - root-level script execution, update to 2.4.7 / WHM 5.3.1.0
LiteSpeed Technologies has patched CVE-2026-48172, a privilege-escalation vulnerability in its cPanel plugin that lets a low-privileged cPanel user trick the plugin into running scripts as root. The flaw has been observed under active exploitation. The fix lands in cPanel plugin v2.4.7 bundled with WHM plugin 5.3.1.0. Operators who cannot patch immediately are advised to uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. This follows last month's actively exploited CVE-2026-41940 (CVSS 9.8) in cPanel itself, which threat actors used to drop Mirai variants and the Sorry ransomware strain. cPanel hosting providers and resellers are the primary targets.
- Check
- Inventory cPanel hosts running the LiteSpeed cPanel plugin. Confirm WHM plugin version and bundled cPanel plugin version. Search /var/log/messages for unexpected lscmctl invocations.
- Affected
- All LiteSpeed cPanel plugin versions before 2.4.7 (bundled with WHM plugin 5.3.1.0). Hosting providers and shared-hosting tenants where low-privileged cPanel users can run scripts are at highest risk.
- Fix
- Upgrade to LiteSpeed WHM plugin 5.3.1.0 (with bundled cPanel plugin 2.4.7) immediately. Temporary mitigation: uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.