Online Platform
Exploits

LiteSpeed cPanel Plugin CVE-2026-54420 Added to KEV

Published  ·  5 min read

The U.S. Cybersecurity and Infrastructure Security Agency just added a new vulnerability to its Known Exploited Vulnerabilities catalog. Federal agencies now have until June 18 to patch it.

The flaw is CVE-2026-54420, a privilege escalation issue in the LiteSpeed cPanel Plugin. On shared hosting servers running CloudLinux or CageFS, an attacker with FTP or web shell access can escalate privileges to root.

That is a full server compromise from a low-privilege foothold.

What Is the LiteSpeed cPanel Privilege Escalation Flaw?

Quick Security Checklist

  • Scan your system or website
  • Update all dependencies
  • Change passwords
  • Enable 2FA

The LiteSpeed cPanel privilege escalation vulnerability (CVE-2026-54420) exists because the plugin mishandles symlinks provided by a user on a shared hosting server. An attacker who already has limited access, via an FTP account or a web shell, can use this flaw to break out of their restricted environment and gain root privileges.

The vulnerability affects LiteSpeed cPanel Plugin versions before 2.4.8, as distributed in LiteSpeed WHM Plugin before 5.3.2.0.

According to the CVE description: "LiteSpeed cPanel plugin before 2.4.8 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS."

Why This Matters for Shared Hosting

Shared hosting environments rely on isolation. One customer should not be able to see or affect another customer's files. CloudLinux and CageFS provide that isolation.

The LiteSpeed cPanel privilege escalation flaw breaks that isolation. An attacker who compromises one account, through a vulnerable WordPress plugin, a weak FTP password, or any other entry point can use CVE-2026-54420 to become root on the entire server.

Once root:
1. Every other customer's data is accessible
2. The attacker can install system-level backdoors
3. The server can be used to launch further attacks
4. SSL certificates, database credentials, and customer files are all exposed
This is not a customer-level breach. This is a server-level breach.

Is the Vulnerability Being Exploited?

CISA has added CVE-2026-54420 to the KEV catalog, which means the agency has evidence of active exploitation. The specifics are not public: CISA did not share details about how the vulnerability is being used or whether any attacks have been successful.

But the KEV addition is a clear signal. If you run LiteSpeed WHM Plugin on shared hosting servers, treat this as an active threat.

How to Check If Your Server Is Affected

LiteSpeed has provided a grep command to check for signs of exploitation:
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

If the command shows no output: Your server has not been impacted by this specific issue. Continue monitoring.

If you have the following output: Please investigate further. LiteSpeed has provided additional signals to eliminate the possibility of false positives, which are:
1. generateEcCert and then packageUserSize, both for the same user (legitimate UI flows do not chain these events together)
2. 7 to 10 concurrent requests on each call (whereas legitimate UI uses only one at a time to generate an EC Certificate and package user)

Multiple concurrent calls with the chained functions are a strong indicator of malicious activity.

Who Reported the Flaw?

On May 31, 2022, Namecheap made a responsible disclosure of the security vulnerability to LiteSpeed in accordance with the established process of responsibly disclosing security vulnerabilities. Subsequently, LiteSpeed released a patched version for the vulnerability to enable CISA to add the CVE to their obtained list of Known Exploited Vulnerabilities (KEV).

How To Fix The Vulnerability  

The fix for this vulnerability is to update your LiteSpeed WHM Plugin to version 5.3.2.1 or later. Version 5.3.2.1 also includes cPanel Plugin v2.4.8, which contains the fix.

When you cannot do updates in real time:  
1. Restrict FTP/web shell access exclusively to those that you know and trust.  
2. Use what is outlined in the grep output above for detecting these indicators against your environment.  
3. If possible, disable the affected functionality until a patch is implemented.

What does Federal Agencies Need to do  

CISA has provided a deadline to all FCEB agencies. Agencies must implement fixes by June 18, 2026.  

If agencies do not meet the deadline, agencies are in violation of CISA's actionable operational directive and have thus put their infrastructure at risk of privilege escalation attacks.

The Bottom Line

The LiteSpeed cPanel privilege escalation flaw is a reminder that shared hosting isolation is only as strong as the software that enforces it. A symlink mishandling bug in a popular control panel plugin turns a low-privilege foothold into full root access.

If you run LiteSpeed WHM Plugin on shared hosting servers, check the grep output, patch to 5.3.2.1, and meet the CISA deadline if applicable.

Because the next FTP account compromise on your server might not stop at one customer's site.

FAQ Section

What is CVE-2026-54420?

CVE-2026-54420 is a privilege escalation vulnerability in the LiteSpeed cPanel Plugin that allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS.

Which versions are affected?

LiteSpeed cPanel Plugin versions before 2.4.8 and LiteSpeed WHM Plugin versions before 5.3.2.0 are affected.

How do I check if my server has been exploited?

Run the grep command provided by LiteSpeed. If output shows generateEcCert followed by packageUserSize for the same user with 7–10 concurrent calls, that is a strong indicator of exploitation.

What is the existence of real-world use of this vulnerability?

CISA says CVE-2026-54420 is known to be exploited (so actively being exploited) but did not publicly provide specific details (aka how it was exploited) which might have been helpful to understanding the actual risk.

Who reported the vulnerability?

LiteSpeed reported this vulnerability to Namecheap on May 31, 2026.

When are federal agencies to ensure they have applied all patches?

Pursuant to CISA's binding operational directive, Federal Civilian Executive Branch agencies must apply patches by June 18, 2026.

Source: The Hacker News
Keywords
Share LinkedIn
ScarCruft NarwhalRAT Targets Microsoft Account Users Hacking

ScarCruft NarwhalRAT Targets Microsoft Account Users

Jun 16, 2026
PushEngage Supply Chain Attack Hits WordPress Sites Hacking

PushEngage Supply Chain Attack Hits WordPress Sites

Jun 15, 2026
Sandworm Attempts Major Cyber Attack on Poland's Power Grid Hacking

Sandworm Attempts Major Cyber Attack on Poland's Power Grid

Jan 24, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.