Bottom line: A critical privilege escalation vulnerability (CVE-2026-54420) in the LiteSpeed cPanel plugin is being actively exploited and requires immediate patching to version 2.4.8 or higher.
The US security agency CISA has issued a three-day deadline for US federal agencies to remediate a critical root vulnerability in the LiteSpeed cPanel plugin that is already being actively exploited. All versions prior to 2.4.8 are affected.
The vulnerability CVE-2026-54420 allows attackers with existing FTP or web shell access to escalate their privileges on shared hosting servers running CloudLinux or CageFS to root level. The issue stems from improper handling of Unix symlinks. LiteSpeed identified the vulnerability in early June and released security updates. The affected cPanel plugin is distributed together with the WHM plugin.
CISA issued the three-day deadline based on its amended internal policy Binding Operational Directive (BOD) 26-04, which prioritizes bug fixes strictly according to real exploitation risk. For a root vulnerability on internet-facing servers that enables scalable mass attacks and complete system takeover, this is classified as the highest priority. The agency warned: this type of vulnerability is among the most common attack patterns used by malicious actors and poses significant risks to federal enterprises. If no mitigation measures are available, agencies must discontinue use of the product.
Administrators can check affected servers for possible exploitation using specific search commands in the log directories /usr/local/cpanel/logs/ and /var/cpanel/logs/. Search for suspicious API calls such as generateEcCert or packageUserSize. If the search command returns results, the vulnerability may have been exploited. In this case, administrators should analyze system logs for actions from the identified IPs to determine the scope of potential damage.
This is already the second critical vulnerability in the LiteSpeed cPanel plugin within a short timeframe. Last month, CISA warned of CVE-2026-48172, which allowed unauthenticated attackers to execute arbitrary scripts with root privileges.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.