cbcvebase.
CVE-2026-54420
published 2026-06-14

CVE-2026-54420: LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell…

PriorityP183high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-18
Exploited in the wild
EPSS
1.26%
65.9th percentile
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

Affected

3 ranges
VendorProductVersion rangeFixed in
litespeed_technologiescpanel_plugin>= 2.3 < 2.4.82.4.8
litespeedtechlitespeed_cpanel_plugin< 2.4.82.4.8
litespeedtechlitespeed_whm_plugin< 5.3.2.05.3.2.0

Detection & IOCsextracted from sources · hover to see the quote

commandgrep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
path/usr/local/cpanel/logs/
path/var/cpanel/logs/
  • Look for log entries containing 'cpanel_jsonapi_func=generateEcCert' immediately followed by 'cpanel_jsonapi_func=packageUserSize' for the same user — legitimate UI flows do not chain these two calls together.
  • Detect exploitation attempts by identifying 7–10 concurrent calls per attempt in cPanel logs; legitimate UI activity issues only one call at a time.
  • Search cPanel and WHM logs for the string 'cert_action_entry' followed by 'geneccert' as an indicator of exploitation activity.
  • If the grep command produces any output, examine system logs for actions taken by the detected IPs to assess damage scope.
  • Exploitation vector is UNIX symlink following by a user with FTP or web shell access on shared hosting servers running CloudLinux/CageFS; monitor for unexpected symlink creation in user-writable directories on such hosts.
  • ·Vulnerability only affects LiteSpeed cPanel plugin versions before 2.4.8 (bundled with LiteSpeed WHM Plugin before 5.3.2.0); servers already running v2.4.8 / WHM Plugin v5.3.2.1 or higher are not affected.
  • ·The attack surface is limited to shared hosting servers running CloudLinux/CageFS; servers not using these isolation technologies have a different risk profile.
  • ·Active exploitation was flagged by LiteSpeed in early June 2026 and confirmed as in-the-wild since May 2026; treat any positive grep output as a potential compromise requiring forensic triage per CISA BOD 26-04 guidance.

CVSS provenance

nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck8.5HIGH
cisa8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.