CVE-2026-48172
Published: 21 May 2026
Summary
CVE-2026-48172 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Litespeedtech Litespeed Cpanel Plugin. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 7.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation vulnerability (CWE-266) in cPanel plugin enables exploitation for privilege escalation to root.
NVD Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get…
more
no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
- OWASP Top 10 Web 2025
- KEV Date Added
- 26 May 2026
Affected Products
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31204
Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)
NIS2 incident reporting (active exploitation)
Active exploitation triggers mandatory incident-reporting obligations under NIS2 Article 23 for EU operators of essential and important entities (24-hour early warning, 72-hour update, 1-month final report). UK NIS Regulations 2018 impose equivalent timelines on designated operators of essential services.
EU Cyber Resilience Act — coordinated disclosure
Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.