CVE Watch · Published 2026-05-21

cPanel CVE-2026-48172: Redis gets you root. Again.

CVSS 10.0. Unauthenticated. No user interaction required. If your cPanel server runs Redis and you haven't patched in the last 24 hours, someone can escalate from nobody to root through the Redis Unix socket. This isn't theoretical. PoC signals are already circulating.

What we know so far

  • CVE-2026-48172 — privilege escalation via Redis socket in cPanel & WHM. An unauthenticated local or adjacent-network attacker can hijack the Redis Unix socket to write arbitrary cron entries or SSH keys, escalating to root. CVSS 10.0 (Critical).
  • Exploit signal: YES. Wordfence and independent researchers have flagged PoC-level activity.
  • Published: 2026-05-21. This is fresh. Patch windows are still open for most operators.
  • Products affected: cPanel & WHM servers with Redis enabled (common in WordPress caching setups).
  • CWE-266: Incorrect Privilege Assignment.
  • Third major cPanel CVE in 2026: CVE-2026-41940 (CRLF injection, April), CVE-2026-29201/29202/29203 (May 8), and now this. If you're running cPanel, your attack surface is getting hammered.

Why this one is ugly

I've been tracking the cPanel CVE pipeline since the 41940 wave back in April. This one is worse in one specific way: Redis is everywhere on cPanel boxes. Anyone running WordPress with object caching, LiteSpeed Cache, or WooCommerce session storage has Redis enabled. That's not a niche configuration. That's most production cPanel servers I've worked on.

The attack path goes through the Redis Unix socket. On a default cPanel install, Redis runs as an unprivileged user but the socket permissions are too loose. An attacker who can reach the socket (local user, compromised PHP script, or adjacent container) can use Redis's CONFIG SET and SAVE commands to write arbitrary files as root. The classic move is writing an SSH authorized_keys file or a cron job. It's the same technique that's been hitting standalone Redis instances for years, but cPanel's privilege boundary makes it a full root escalation.

If you already patched CVE-2026-41940

Good. But that doesn't help here. Different bug, different vector. 41940 was pre-auth CRLF injection in the web interface. This one goes through Redis on the backend. You need a separate patch for this one.

If your server was compromised during the 41940 wave and an attacker dropped a webshell or a low-privilege backdoor, they now have a local escalation path to root through this Redis bug. That's the nightmare scenario: old backdoor + new priv-esc = full root again.

Free resources

Need help fixing this vulnerability?

Professional remediation by the same team that tracks these threats.

$49 Quick Patch Call 30-min screenshare, we patch together
$99 Compromise Check Redis audit + IOC scan + report
$199 Full Security Audit Config review + hardening + written report
$299–$999 Incident Response Full cleanup, forensics, and recovery
Request CVE repair

Want CVE alerts before they hit the news?

Ping7 runs a free CVE early-warning radar that filters NVD and CISA KEV for vulnerabilities relevant to web hosting, WordPress, and the small-site stack. One alert per Critical CVE. No spam.

Subscribe to CVE alerts · Join the Telegram channel

References

Ping7 is not affiliated with cPanel L.L.C., WebPros, or any hosting provider mentioned. All trademarks belong to their owners. This page references public CVE data only and does not include proof-of-concept code or exploitation steps.