A critical vulnerability in the cPanel LiteSpeed plugin allows any cPanel user, including a compromised account, to execute scripts as root via the lsws.redisAble function, with versions 2.3 through 2.4.4 affected and active exploitation observed in the wild.

The issue is being exploited in real-world attacks, highlighting an active exploitation trend.

An indicator of compromise is available for detection, suggesting the need to search for suspicious patterns using grep -rE.

The vulnerable parameter is cpnl_jsonapi_func=redisAble, which triggers the exploit path.

LiteSpeed has publicly disclosed this as a maximum-severity vulnerability, CVE-2026-48172, due to incorrect privilege assignment that permits arbitrary script execution with elevated privileges.

LiteSpeed’s WHM plugin is not affected; the vulnerability has been patched in cPanel plugin version 2.4.5, following discovery by security researcher David Strydom.