LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

The Hacker News

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities When Identity is the Attack Path 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API Agent AI is Coming. Are You Ready? Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit Grafana GitHub Breach Exposes Source Code via TanStack npm Attack GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability The New Phishing Click: How OAuth Consent Bypasses MFA Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More How to Reduce Phishing Exposure Before It Turns into Business Disruption Developer Workstations Are Now Part of the Software Supply Chain Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure How AI Hallucinations Are Creating Real Security Risks Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation [Webinar] Why Your AppSec Tools Miss the "Lethal Path" (and How to Fix It) Most Remediation Programs Never Confirm the Fix Actually Worked Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data Android Adds Intrusion Logging for Sophisticated Spyware Forensics New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots Webinar: What the Riskiest SOC Alerts Go Unanswered - and How Radiant Security Can Help Why Agentic AI Is Security's Next Blind Spot Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Your Purple Team Isn't Purple — It's Just Red and Blue in the Same Room Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories Day Zero Readiness: The Operational Gaps That Break Incident Response PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing? Google's Android Apps Get Public Verification to Stop Supply Chain Attacks

info@thehack · 2026-05-23 · via The Hacker News

Ravie LakshmananMay 23, 2026Vulnerability / Web Security

A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.

The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.

"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said.

The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4. LiteSpeed's WHM plugin is not impacted. The issue has been addressed in version 2.4.5. Security researcher David Strydom has been credited with discovering and reporting the flaw.

LiteSpeed noted that the "vulnerability is being actively exploited," but refrained from sharing additional details. It has shared the following indicator of compromise -


grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If running the aforementioned "grep" command does not produce any output, the server is not affected. However, if there is any output, users are advised to examine the IP addresses in the list and determine if they are legitimate, and if not, block them.

Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.

Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability. If immediate patching is not an option, it's recommended to remove the user-end plugin by running the below command -


/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

The development comes weeks after a critical cPanel vulnerability (CVE-2026-41940, CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

The Hacker News