LiteSpeed cPanel Plugin Zero-Day Exploited for Full Server Root Access.

A critical zero-day (CVE-2026-48172, CVSS 10.0) in the LiteSpeed User-End cPanel plugin is being actively exploited to allow any authenticated cPanel user to execute arbitrary scripts as root; exploitation requires a single malformed API call to the lsws.redisAble JSON-API endpoint, putting shared-hosting environments at catastrophic risk. cPanel forced a fleet-wide uninstall and a patch was released on May 21, 2026; administrators are instructed to scan logs for the observable indicator (grep for "cpanel_jsonapi_func=redisAble"), treat any hits as full compromise, rotate credentials, audit persistence mechanisms, and apply the provided patch or uninstall the plugin immediately.