CVE-2026-48172, a maximum-severity privilege escalation flaw in the LiteSpeed User-End cPanel Plugin, is under active exploitation by opportunistic threat actors scanning the internet for vulnerable web hosting environments — any authenticated cPanel user can exploit it to execute arbitrary scripts with root privileges on the underlying server.
CVE-2026-48172: Incorrect Privilege Assignment in LiteSpeed cPanel Plugin 2.3–2.4.4
The vulnerability affects LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. Its root cause is incorrect privilege assignment: the plugin grants any authenticated cPanel user — regardless of their permission level — the ability to execute arbitrary scripts as root on the host system. No exploitation technique beyond a valid cPanel login is required. An attacker who has compromised a single low-privilege shared hosting account can use this flaw to achieve full host system compromise.
The vulnerability carries a CVSS score of 10.0, the maximum on the scale. Remediation requires upgrading to LiteSpeed WHM Plugin version 5.3.1.0, bundled with cPanel plugin v2.4.7 or higher. No workaround is available without applying the patch.
How Root Access on a Shared Hosting Server Affects All Tenants
The shared hosting context makes this vulnerability particularly destructive in scope. A root-level compromise of one shared hosting server does not affect only the account the attacker used to gain entry. Root access enables the attacker to read, modify, or delete data belonging to all customer accounts hosted on the same server, install persistent backdoors, pivot to adjacent hosting infrastructure managed by the same provider, and deploy malware across all tenant websites simultaneously.
Web hosting companies and managed service providers running LiteSpeed and cPanel together may host hundreds of distinct customer websites and databases per server. A single exploitation event at that scale exposes the data and infrastructure of every tenant on the affected system.
Active Exploitation Pattern and the LiteSpeed/cPanel Deployment Scale
The current exploitation activity is characterized by automated scanning rather than targeted attacks — opportunistic tools probing the internet for any vulnerable LiteSpeed/cPanel installation rather than specific high-value organizations. That pattern means all hosting providers with vulnerable configurations are at risk, not just prominent or large operators.
Why the LiteSpeed/cPanel Combination Represents a High-Priority Patching Target
cPanel is the dominant web hosting control panel for shared hosting environments worldwide and supports tens of millions of domains. LiteSpeed is widely deployed as an alternative to Apache in cPanel hosting stacks. The combination of maximum CVSS severity, an extremely common deployment configuration, and confirmed active exploitation means web hosting companies and MSPs with LiteSpeed/cPanel installations should treat this as an emergency patching priority rather than a routine update cycle item.
Any hosting provider or MSP that has not yet deployed LiteSpeed WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7 should assess whether their internet-facing installations are currently being targeted by the ongoing scanning campaign.
