LiteSpeed cPanel Plugin: Attacks on vulnerability observed

A security vulnerability exists in the LiteSpeed plugin for cPanel, which the manufacturer classifies as critical. The US IT security authority CISA warns that attacks on it have been observed. Updated software is available.

In its warning, the CISA names only the attacked vulnerability. However, the authority does not reveal details about the nature and scope of the attacks. LiteSpeed's own blog post provides more information. In it, the company urgently recommends updating to version 2.4.7 or newer; the leak has been plugged since version 2.4.5 of the plugin. It fixes a vulnerability affecting the end-user plugin for cPanel. It is a leak that allows attackers to escalate privileges. Any cPanel user can exploit the error in the lsws.redisAble function to execute arbitrary code as root (CVE-2026-48172, CVSS 9.8, risk “critical”). The vulnerability is reportedly already being attacked in the wild, and versions 2.3 to 2.4.4 of the plugin for cPanel are vulnerable.

Check for successful attacks

LiteSpeed also provides a command that admins can use to check if their server is affected:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If no results are returned, the server has not been attacked. However, if output appears, IT managers should check if the IPs are legitimate and block them if necessary. Additionally, system logs should be examined to see if attackers have made any changes. Of course, this only helps in cases where attackers have not covered their tracks and have, for example, cleaned up the logs.

cPanel admins have already had to install software updates several times in May. About two weeks ago, security patches closed code-smuggling vulnerabilities in the cPanel and WebHost Manager (WHM) web server and management software.

(dmk)