Skip to content
hacker_posts

LiteSpeed cPanel CVE-2026-54420 in KEV: symlink path to root, second LiteSpeed cPanel KEV in 3 weeks

CISA added CVE-2026-54420 — a CVSS 8.5 symlink-following bug in the LiteSpeed cPanel plugin — to KEV on June 15. Federal patch deadline: June 18.

Published 4 min read
cvelitespeedcpanelkevadvisory

CISA added CVE-2026-54420 to the Known Exploited Vulnerabilities catalog on June 15. The bug — a CWE-61 UNIX symbolic-link-following flaw in the LiteSpeed cPanel plugin before 2.4.8 — lets a user with FTP or web-shell access on a shared-hosting box running CloudLinux/CageFS escalate to root on the host. CVSS 8.5. Federal civilian agencies must patch by June 18 — a three-day window under BOD 26-04.

This is the second LiteSpeed cPanel plugin KEV-add in three weeks. The previous one, CVE-2026-48172, was a different bug — the lsws.redisAble JSON API privilege escalation — but the same product surface and the same root-escape outcome.

What's affected

  • LiteSpeed cPanel plugin versions before 2.4.8.
  • Distributed inside LiteSpeed WHM PlugIn versions before 5.3.2.0.
  • Triggered only on shared-hosting servers running CloudLinux with CageFS isolation.

If you operate a non-CloudLinux cPanel host or a server without CageFS, this specific symlink path doesn't fire — but you should still patch, because the plugin's privilege boundary is what failed, and CageFS was the last layer keeping it contained.

The flaw

Per the NVD description quoted by BleepingComputer and The Hacker News:

"LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS."

CageFS sandboxes tenants into a chrooted view of the filesystem. The plugin, running as root for cache-management tasks, follows symlinks placed by a tenant without re-validating that the resolved path is still inside the tenant's CageFS jail. A symlink that points out of the cage — to anything root can write — produces the privilege escalation.

The CVE was assigned June 14 and the fixed release shipped on June 1, 2026 (WHM PlugIn 5.3.2.1, bundled with cPanel plugin 2.4.8). Hosts that took the June update are clean; hosts on the 5.3.1 line are not.

Exploitation status

Active exploitation was the basis for the KEV add. Multiple secondary outlets — BleepingComputer, The Hacker News — report exploitation since May 2026, predating the CVE assignment by roughly six weeks. No named threat-actor attribution has been published. Treat the bug as opportunistic mass-scanning, the same posture as CVE-2026-48172.

No public exploit code has been published at time of writing. The technique is straightforward enough that one will appear shortly.

Action checklist

  1. Upgrade LiteSpeed WHM PlugIn to 5.3.2.1 or later (with cPanel plugin 2.4.8) — today. The KEV deadline is June 18.
  2. Inventory CloudLinux + CageFS hosts running LiteSpeed cPanel plugin first. That's the exploitable subset.
  3. Audit /etc/cron.d/, /etc/crontab, and root-owned crons on any LiteSpeed cPanel host that was internet-reachable before patching. Root-cron persistence is the cheap post-exploit move and the easiest to spot.
  4. Hunt for symlinks in tenant directories pointing outside the tenant's CageFS root. The plugin's exploitation primitive leaves them behind. find /home/*/public_html -type l -lname '/*' 2>/dev/null | grep -v "^/home" will surface most.
  5. Rotate root credentials and SSH keys on any host showing evidence of suspicious symlinks, suspicious cron entries, or unexplained processes running as root since May 1.
  6. Tenants on shared hosting: ask your provider, in writing, whether they've applied 5.3.2.1. A "yes" before June 18 is the answer you want.

Context

Two KEV-eligible root-escalation bugs in the LiteSpeed cPanel plugin in under three weeks. Both were assigned CVEs only after in-the-wild exploitation was already running. The pattern — privilege-boundary failures in cPanel ecosystem plugins, opportunistic mass-scanning before disclosure, weeks-long head start for attackers before the CVE catches up — is recurring fast enough that it's worth treating LiteSpeed cPanel surfaces as trust-degraded by default in 2026 hardening posture.

If you're a hosting provider, the operational lesson from the previous LiteSpeed cPanel post holds: subscribe directly to the vendor advisory feed, do not wait for the CVE database to update, and budget for an emergency patch window each time WHM publishes a security release on this plugin line.

Related stories