Vivian Voss

Read on LinkedIn

Your Neighbour Is Now Root

security freebsd architecture web

Wire Fire ❯❯❯❯ Episode 03

On a shared hosting server you share one machine with hundreds of strangers. You have never met them. You did not choose them. This week it emerged that, for a large slice of the world's shared hosting, any one of them could quietly become root, the all-powerful administrator account, and on a shared server root over one account is root over all of them. This is the situation, what it means, and what to do about it.

The Breach

CVE-2026-48172 is a flaw in the LiteSpeed cPanel plugin: the component that wires the LiteSpeed web server into cPanel and WHM, the control panel that runs a large share of the world's commercial shared hosting. The plugin is the user-end piece that hundreds of customer accounts can reach through the ordinary cPanel interface.

The timeline is short and worth stating precisely. On 19 May 2026, cPanel pulled the plugin from servers through a nightly update, stating plainly that the vulnerability "allowed unauthorized root access to the server". On 21 May, LiteSpeed shipped a fix, version 2.4.5, after which a broader security review produced version 2.4.7, bundled in the LiteSpeed WHM plugin 5.3.1.0. On 26 May, CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalogue: confirmation that it had been used as a zero-day, in the wild, before the patch existed.

Zero-Day First, Patch Second exploited with no patch available 19 May cPanel pulls plugin, "unauthorized root" 21 May LiteSpeed fix, v2.4.5 (then 2.4.7) 26 May CISA KEV: actively exploited Rated 10.0 on CVSS v4.0, the maximum. The number matters less than the phrase: unauthorized root access.

The flaw is rated at the top of the scale: 10.0 on the CVSS v4.0 system, 9.8 on the older v3.1. The number matters less than the sentence cPanel used: unauthorized root access. On a shared server, that is the worst sentence there is.

The Scope

Every version of the plugin from 2.3 through 2.4.4 is affected.

The exposed machines are shared hosting servers, and the word "shared" is the whole story. On such a server, hundreds of customer accounts, each a separate website, a separate business, a separate owner, live side by side on one operating system, under one kernel, with one root account reserved for the host. They are kept apart not by a hard wall but by the convention that each account stays in its own lane.

This is not a niche stack. Exposure analysis of the affected estate shows it spread across industry, retail and media, with nearly half of all observed exposure falling outside the top sectors entirely: the long tail of small businesses, agencies and personal sites that is precisely what shared hosting exists to serve. cPanel is not an obscure tool. It is the default way a great deal of the web is hosted.

The Mechanism

Here is the part that should change behaviour, in plain terms.

On a shared server, every customer is an ordinary, unprivileged user. Root, the account that can do anything to the whole machine, belongs to the host alone. The entire security model rests on customers never being able to reach it.

The plugin exposed a function named lsws.redisAble, reachable through cPanel's standard JSON API by any logged-in customer. The function had one fatal omission: it did not check who was calling. It ran with root's authority regardless of which unprivileged user invoked it. This is a textbook case of what the security taxonomy calls incorrect privilege assignment (CWE-266): code that runs with more power than its caller was entitled to.

A Function That Forgot to Ask Who Was Calling unprivileged customer or one phished password normal API call lsws.redisAble via cPanel JSON API missing: who is calling? (CWE-266) runs the script as root regardless of the caller the whole machine every site's files, databases, credentials, not just one slice No firewall breach, no kernel exploit, no physical access. Just a normal call.

The consequence is direct. Any customer on the server, or any attacker who had phished or bought a single customer's password, could ask that function to run a script of their choosing. The script ran as root. From there, the attacker held the entire machine: every other customer's files, every database, every credential, every site. Not their own slice. The whole server.

Note what was not required. No firewall breach. No kernel exploit. No physical access. Just a normal account, a normal API call, and a function that forgot to ask for identification at the door.

The Exposure

If you operate cPanel with the LiteSpeed plugin in any version from 2.3 to 2.4.4, treat this as urgent. Upgrade to version 2.4.7 (delivered with WHM plugin 5.3.1.0 or later), or remove the plugin entirely if you cannot patch immediately. Then assume you may already have been visited: search your logs for the tell-tale call with grep -rE "cpanel_jsonapi_func=redisAble", investigate any matches, audit recently created accounts, and restrict cPanel and WHM access to trusted source addresses where you can.

If you are a hosting customer rather than an operator, here is the uncomfortable truth: you cannot patch this. The vulnerable code is not in your account; it is in the machine your account sits on. Your only lever is to ask your provider whether they have patched, and to treat the answer as a real procurement question rather than a formality.

On FreeBSD, the boundary this incident is missing has a name: the jail. A jail is kernel-enforced isolation. A process inside a jail cannot see the host's processes, cannot touch files outside its own root, and cannot escalate to the host's root, because from inside the jail the host's root does not exist to be reached. A shared hosting panel emulates separation between tenants inside a single shared system, using ownership rules and plugin logic. A jail enforces it one level down, in the kernel, where a forgotten privilege check in a plugin cannot reach. The same idea underpins Linux containers and illumos zones; the point is not the brand but the level at which the wall is built.

Walls of Good Manners vs Walls of Kernel Shared hosting one OS, one kernel, one root site A site B site C walls = ownership + plugin code root (shared) one fumbled check → every site FreeBSD jails host kernel, host root (unreachable) jail A own root jail B own root jail C own root walls = the kernel a plugin fault stays inside its jail host root does not exist to be reached

The Pattern

Shared hosting sells a boundary it does not enforce, and that is the structural news under this week's headline.

Hundreds of tenants share one kernel, one filesystem and one root. The separation between them lives in user permissions, in panel logic and in plugin code, which is to say it lives in software written by people, all of it one mistake away from failing. When that mistake lands on a privilege check, the blast radius is not the one account that was compromised. It is every account on the machine. The model works perfectly right up until any single component fumbles, and then it fails completely, for everyone at once.

For a decision-maker, the translation is direct and it belongs in a procurement conversation, not a post-incident one. On shared hosting, your security boundary is not your own account and your own good practices. It is the weakest account on the same server, managed by the least careful neighbour you have never met. If the data you host would genuinely hurt you to lose or to leak, the question is not whether your password is strong. It is whether you are sharing a kernel with strangers. Budget for real isolation, a VPS, kernel-enforced containers, jails, zones, or accept, consciously, that your neighbour is part of your threat model.

You never chose the strangers on your server. This week, one of them could choose to be you. On shared hosting your security boundary is not your account. It is the weakest account on the same machine.