Two LiteSpeed cPanel Bugs Are Handing Attackers Root — One CISA Deadline Is Today

The LiteSpeed cPanel plugin doesn't earn many headlines. It sits quietly on shared hosting servers doing routine work: bridging cPanel's user interface to LiteSpeed Web Server, handling per-user Redis toggles, managing cache settings. This week it earned two CISA Known Exploited Vulnerabilities entries in the span of three days — and both let an attacker walk from a standard cPanel account to full root access on the server. Neither exploit requires anything exotic.

CVE-2026-48172: A Redis Toggle That Ran as Root

The first vulnerability, CVE-2026-48172, carries a CVSS v4.0 score of 10.0. It lives in the plugin's lsws.redisAble function — the feature that lets cPanel users enable or disable Redis caching for their accounts. The function was exposed through the standard cPanel JSON API but ran with elevated system privileges without restricting who could call it. Any authenticated cPanel user could invoke it with a single HTTP request using the cpanel_jsonapi_func=redisAble parameter and execute arbitrary scripts as root.

LiteSpeed confirmed the flaw was exploited as a zero-day before a patch was available. On May 19, 2026, cPanel pushed an emergency command to automatically uninstall the vulnerable user-end plugin from servers running nightly cPanel updates. LiteSpeed released the fix — WHM Plugin v5.3.1.0 bundled with user-end plugin v2.4.7 — on May 21. Affected versions are user-end plugin 2.3 through 2.4.4. CISA added CVE-2026-48172 to its KEV catalog and set today, June 16, as the hard remediation deadline for Federal Civilian Executive Branch agencies.

To check whether your server saw exploitation attempts before the patch, scan your cPanel logs:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/

CVE-2026-54420: A Symlink Problem That Also Reaches Root

CVE-2026-54420 (CVSS 8.5) is a different mechanism with the same destination. It's a UNIX symbolic link following flaw — CWE-61 — in how the plugin handles symlinks on servers running CloudLinux or CageFS. An attacker doesn't need an admin credential. FTP access or a web shell on a shared account is enough. By placing crafted symlinks in specific locations, the attacker can cause the LiteSpeed process to follow those links outside the intended directory boundary and execute code as root.

Active exploitation was already underway in May 2026 before the CVE identifier was formally assigned. LiteSpeed released the patch on June 1 — WHM Plugin v5.3.2.1, bundled with user-end plugin v2.4.8. CISA added the flaw to the KEV catalog on June 15, 2026, with a federal remediation deadline of June 18. The affected range is any version of the user-end plugin prior to 2.4.8.

Why This Cuts Harder on Shared Hosting

Neither vulnerability is novel in concept — privilege escalation bugs exist everywhere. What makes these particularly serious is the environment they target. Shared hosting puts dozens to hundreds of customer accounts on a single server and relies on isolation technology like CageFS to keep them separated. Each tenant stays in its cage; the cages don't talk to each other. That boundary is the security guarantee the entire shared-hosting model rests on.

Root access dissolves that guarantee entirely. With root, an attacker can read every account's files, extract database credentials from configuration files across every hosted site, modify any codebase, install a persistent backdoor that survives plugin updates, or exfiltrate data from hundreds of businesses without ever triggering a per-account alert. They don't need to compromise each account separately — they compromise one, break out, and then the entire server is theirs. The blast radius of one unpatched plugin in a multi-tenant environment can be every customer on the box.

What to Do Right Now

If you manage a cPanel server running LiteSpeed, verify your plugin versions today:

• CVE-2026-48172: User-end plugin must be 2.4.7 or higher (WHM Plugin 5.3.1.0+). Note that cPanel's emergency May 19 auto-removal uninstalled the plugin but did not reinstall the patched version. Confirm the patched build is actually present and running.
• CVE-2026-54420: User-end plugin must be 2.4.8 or higher (WHM Plugin 5.3.2.1+). Run the official installer to apply the latest build: wget -O- https://litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh | sh
• If you cannot patch immediately, uninstalling the user-end plugin entirely is an acceptable temporary mitigation — the WHM plugin component is not affected by either CVE.
• Review server logs for the redisAble API call pattern (CVE-2026-48172) and look for bursts of concurrent API requests from single IP addresses, which CISA flagged as a behavioral indicator for CVE-2026-54420 exploitation.

If you're a small business on shared hosting, you likely can't check the server version yourself — but you can ask your host directly. A responsible provider should be able to confirm within minutes which plugin version is running and when the last update was applied.

At Falcon Internet, our 24x7x365 NOC monitoring workflow applied both the May 21 and June 1 LiteSpeed patches across our fleet within hours of vendor release. The broader point is this: shared hosting security is a provider-level responsibility more than a user-level one. The cage keeps tenants safe only as long as the software around the cage is current — and right now, two separate agencies are telling the internet that this particular piece of software is overdue.