LiteSpeed cPanel Plugin (CVE‑2026‑48172) Remote Code Execution Enables Root Script Execution
What It Is – A critical privilege‑escalation flaw in the LiteSpeed User‑End cPanel plugin allows any authenticated cPanel user, or a compromised account, to execute arbitrary scripts with root privileges. The vulnerability is tracked as CVE‑2026‑48172 and carries a CVSS v3.1 base score of 10.0.
Exploitability – Public exploit code has been observed in the wild; threat actors are actively leveraging the bug to gain full system control on vulnerable hosting environments. No vendor‑issued patch is available at the time of writing.
Affected Products – LiteSpeed Web Server + User‑End cPanel Plugin (versions prior to the undisclosed fix) deployed on shared‑hosting or managed‑hosting platforms that use cPanel.
TPRM Impact – The flaw creates a direct supply‑chain risk for organizations that outsource web‑hosting to providers using LiteSpeed‑cPanel stacks. A compromised host can be used to pivot into customer environments, exfiltrate data, or host ransomware.
Recommended Actions –
- Immediately inventory all third‑party hosting providers that run LiteSpeed with the cPanel plugin.
- Push emergency mitigation: restrict cPanel access to trusted IPs, enforce MFA, and monitor for anomalous script execution.
- Contact providers for patch status; if no fix is forthcoming, consider temporary migration to alternative web‑server stacks.
- Deploy host‑based IDS/EDR to detect unexpected root processes.
- Update incident‑response playbooks to include this specific CVE.
Source: The Hacker News