CVE-2026-54420
published 2026-06-14CVE-2026-54420: LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell…
PriorityP183high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-18
Exploited in the wild
EPSS
1.26%
65.9th percentile
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| litespeed_technologies | cpanel_plugin | >= 2.3 < 2.4.8 | 2.4.8 |
| litespeedtech | litespeed_cpanel_plugin | < 2.4.8 | 2.4.8 |
| litespeedtech | litespeed_whm_plugin | < 5.3.2.0 | 5.3.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandgrep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null↗
- →Look for log entries containing 'cpanel_jsonapi_func=generateEcCert' immediately followed by 'cpanel_jsonapi_func=packageUserSize' for the same user — legitimate UI flows do not chain these two calls together. ↗
- →Detect exploitation attempts by identifying 7–10 concurrent calls per attempt in cPanel logs; legitimate UI activity issues only one call at a time. ↗
- →Search cPanel and WHM logs for the string 'cert_action_entry' followed by 'geneccert' as an indicator of exploitation activity. ↗
- →If the grep command produces any output, examine system logs for actions taken by the detected IPs to assess damage scope. ↗
- →Exploitation vector is UNIX symlink following by a user with FTP or web shell access on shared hosting servers running CloudLinux/CageFS; monitor for unexpected symlink creation in user-writable directories on such hosts. ↗
- ·Vulnerability only affects LiteSpeed cPanel plugin versions before 2.4.8 (bundled with LiteSpeed WHM Plugin before 5.3.2.0); servers already running v2.4.8 / WHM Plugin v5.3.2.1 or higher are not affected. ↗
- ·The attack surface is limited to shared hosting servers running CloudLinux/CageFS; servers not using these isolation technologies have a different risk profile. ↗
- ·Active exploitation was flagged by LiteSpeed in early June 2026 and confirmed as in-the-wild since May 2026; treat any positive grep output as a potential compromise requiring forensic triage per CISA BOD 26-04 guidance. ↗
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck8.5HIGH
cisa8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running Clou
ghsa_unreviewed·2026-06-14
CVE-2026-54420 [HIGH] CWE-61 LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running Clou
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
VulDB
LiteSpeed cPanel Plugin up to 2.4.7 symlink (EUVD-2026-36657)
vuldb·2026-06-14·CVSS 8.5
CVE-2026-54420 [HIGH] LiteSpeed cPanel Plugin up to 2.4.7 symlink (EUVD-2026-36657)
A vulnerability described as critical has been identified in LiteSpeed cPanel Plugin up to 2.4.7. This impacts an unknown function. The manipulation results in symlink following.
This vulnerability is known as CVE-2026-54420. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
VulnCheck
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
vulncheck·2026·CVSS 8.5
CVE-2026-54420 [HIGH] CWE-61 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
Affected: LiteSpeed cPanel Plugin
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patchi
CISA
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
cisa·2026-06-15·CVSS 8.5
CVE-2026-54420 [HIGH] CWE-61 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Vulnerability: LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Affected: LiteSpeed cPanel Plugin
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BO
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Bleepingcomputer
CISA warns of another cPanel plugin flaw exploited in attacks
blogs_bleepingcomputer·2026-06-16·CVSS 9.8
CVE-2026-54420 [CRITICAL] CISA warns of another cPanel plugin flaw exploited in attacks
## CISA warns of another cPanel plugin flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability ( CVE-2026-54420 ) in the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172 , this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
LiteSpeed flagged it as actively exploited in early June and released urgent security updates , warning users to update the cPanel u
Hackernews
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
blogs_hackernews·2026-06-16·CVSS 8.5
CVE-2026-54420 [HIGH] CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
The vulnerability in question is CVE-2026-54420 (CVSS score: 8.5), which has been described as a case of privilege escalation. It allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS.
"LiteSpeed cP
2026-06-14
Published
2026-06-15
Added to CISA KEV
Exploited in the wild