LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting

Suspected
Discovered Jun 15, 2026

CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-54420 to the Known Exploited Vulnerabilities catalog on 2026-06-15 and set a 2026-06-18 due date for remediation CISA KEV opens in a new tab. CISA classifies the issue as a LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability and says it affects a user who already has FTP or web shell access on a shared hosting server running CloudLinux/CageFS CISA KEV opens in a new tab.

LiteSpeed says the vulnerable user-end cPanel plugin was patched in v2.4.8 and that the fixed bundle is LiteSpeed WHM Plugin v5.3.2.1 with cPanel plugin v2.4.8 LiteSpeed opens in a new tab. The vendor also says the issue was being actively exploited and provides a grep-based log check for defender triage LiteSpeed opens in a new tab. This post focuses on shared-hosting operators, because the blast radius is host-wide once a tenant can make the plugin follow attacker-controlled symlinks.

Key Facts

Cve: CVE-2026-54420

Vendor: LiteSpeed Technologies

Product: cPanel Plugin

Affected Surface:

  • LiteSpeed user-end cPanel plugin
  • Shared hosting servers running CloudLinux/CageFS
  • Hosts reachable by FTP or web shell users

Kev Added: 2026-06-15

Kev Due: 2026-06-18

Vulnerability: UNIX symbolic link following / symlink handling flaw

Cwe: CWE-61

Nvd Cvss V31: 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Patched Versions:

  • LiteSpeed cPanel Plugin 2.4.8
  • LiteSpeed WHM Plugin 5.3.2.1

High Value Evidence:

  • /usr/local/cpanel/logs/
  • /var/cpanel/logs/
  • cpanel_jsonapi_func=(generateEcCert|packageUserSize)
  • cert_action_entry .*geneccert
  • LiteSpeed WHM Plugin v5.3.2.1
  • cPanel plugin v2.4.8

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-54420 as a known exploited issue, records the shared-hosting / CloudLinux-CageFS exposure, and sets a 2026-06-18 due date CISA KEV opens in a new tab.
  • confirmed: LiteSpeed says the vulnerable user-end plugin was patched in v2.4.8, the fixed delivery bundle is WHM Plugin v5.3.2.1, and the weakness can be checked with a grep across /usr/local/cpanel/logs/ and /var/cpanel/logs/ LiteSpeed opens in a new tab.
  • confirmed: LiteSpeed says the issue was actively exploited and gives false-positive guidance: look for generateEcCert immediately followed by packageUserSize for the same user, plus 7–10 concurrent calls and the same source IP hammering both endpoints LiteSpeed opens in a new tab NVD opens in a new tab.
  • confirmed: NVD describes the flaw as symlink mishandling in the cPanel plugin before 2.4.8, notes the shared-hosting / CloudLinux-CageFS boundary, and records the CVSS v3.1 vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H NVD opens in a new tab.
  • unknown: CISA marks known ransomware campaign use as Unknown in the KEV feed CISA KEV opens in a new tab.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseLog review shows the vendor signature, especially generateEcCert followed by packageUserSize, or cert_action_entry entries tied to unexpected file or privilege changes./usr/local/cpanel/logs/, /var/cpanel/logs/, filesystem diffs, root-owned file creation, and account changes.Isolate the host, preserve logs, and treat the machine as fully compromised.
Presumed exposedThe host runs the LiteSpeed user-end cPanel plugin and has not been verified at version 2.4.8 or later.Package inventory, plugin version output, or bundle metadata.Patch or uninstall the user-end plugin immediately.
Potentially exposedLiteSpeed is present on a shared host, but user-end plugin status is unclear.Asset inventory, package lists, and cPanel plugin discovery.Verify whether the user-end plugin is installed and whether the host is tenant-facing.
Not exposedThe user-end plugin is absent, or a verified version at or above the fixed release is documented.Version proof and negative log review.Close the case after archiving the evidence bundle.

Technical Analysis

The vendor and NVD descriptions point to a tenant-to-host boundary failure. A low-privileged shared-hosting user with FTP or web shell access can influence symlink handling inside the LiteSpeed cPanel plugin, which should never follow attacker-controlled links into privileged actions on the host LiteSpeed opens in a new tab NVD opens in a new tab [1].

For defenders, the important point is that the issue is not limited to a single account. In a shared-hosting environment, a successful exploit can become host-wide because the plugin lives in the control plane and the affected tenant can reach sensitive host-level operations by steering the plugin through unsafe link resolution LiteSpeed opens in a new tab NVD opens in a new tab [1].

Affected Assets and Blast Radius

Asset Selectors:

  • LiteSpeed cPanel Plugin
  • LiteSpeed WHM Plugin bundle
  • Shared hosting nodes with CloudLinux/CageFS

Highest Value Assets:

  • Host root access
  • Tenant webroots and account data
  • cPanel-managed certificates and credentials
  • Backup sets and control-plane settings

Credentials And Data At Risk:

  • cPanel user passwords and SSH keys
  • Database passwords in hosted application configs
  • SSL private keys and certificate material
  • Host-level administrative access

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

Patch the LiteSpeed bundle to WHM Plugin v5.3.2.1 or newer so the bundled user-end plugin is v2.4.8 LiteSpeed opens in a new tab. If patching cannot happen immediately, LiteSpeed says operators can uninstall the user-end plugin while preserving the core WHM plugin LiteSpeed opens in a new tab.

Closure requires all three of these items:

  1. Version proof that the user-end plugin is at 2.4.8 or later.
  2. Negative review of the vendor grep signature across cPanel logs.
  3. Confirmation that the host is not being used as a shared-hosting tenant surface with unsafe FTP or web shell access.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 15, 2026DiscoveryDiscovery recorded for LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting.cisa.gov
Jun 15, 2026LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared HostingUnknowncisa.gov
Jun 15, 2026DisclosureDisclosure recorded for LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting.cisa.gov
Jun 15, 2026First seenFirst seen recorded for LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting.cisa.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

2 of 2 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabcisa.gov
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting?scripts/local_repository_and_exported_telemetry_scope_2.py opens in a new tabcisa.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
"""Generic IOC scope scanner for litespeed-cpanel-plugin-cve-2026-54420-kev.

Searches repository trees and exported logs for literal IOC values from iocs.json.
Exit codes:
  0: no matches
  1: one or more indicators matched
  2: execution error
"""
import argparse
import fnmatch
import os
import sys
from pathlib import Path

OUT = Path(os.environ.get("OUT", "hp-litespeed-cpanel-plugin-cve-2026-54420-kev-ioc-scope"))
CONTENT_INDICATORS = [
  "generateEcCert",
  "packageUserSize",
  "cert_action_entry .*geneccert",
  "LiteSpeed"
]
PATH_INDICATORS = [
  "/usr/local/cpanel/logs/",
  "/var/cpanel/logs/"
]
EXCLUDE_DIRS = {".git", "node_modules", "vendor", "dist", "build", ".venv", "__pycache__"}

def _iter_files(root):
    root = Path(root)
    if not root.exists():
        return
    if root.is_file():
        yield root
        return
    for current, dirs, files in os.walk(root):
        dirs[:] = [d for d in dirs if d not in EXCLUDE_DIRS]
        for name in files:
            yield Path(current) / name

def _path_matches(path):
    text = str(path)
    matches = []
    for indicator in PATH_INDICATORS:
        if not indicator:
            continue
        if indicator.startswith(("/", "~")):
            candidate = Path(os.path.expanduser(indicator))
            if candidate.exists() and path == candidate:
                matches.append(indicator)
        if indicator in text or fnmatch.fnmatch(text, indicator) or fnmatch.fnmatch(path.name, indicator):
            matches.append(indicator)
    return matches

def _content_matches(path):
    try:
        content = path.read_text(errors="ignore")
    except Exception:
        return []
    return [indicator for indicator in CONTENT_INDICATORS if indicator and indicator in content]

def _scan_roots(roots):
    matches = []
    for root in roots:
        if not root:
            continue
        for path in _iter_files(root):
            for indicator in _path_matches(path):
                matches.append(f"{path}: path matched {indicator!r}")
            for indicator in _content_matches(path):
                matches.append(f"{path}: content matched {indicator!r}")
    return matches

def main():
    parser = argparse.ArgumentParser(description="Scan files and logs for Halting Problems IOC values")
    parser.add_argument("roots", nargs="*", default=["."], help="File or directory roots to scan")
    parser.add_argument("--log-root", default=os.environ.get("LOG_ROOT", ""), help="Optional exported log directory")
    args = parser.parse_args()

    OUT.mkdir(parents=True, exist_ok=True)
    indicator_lines = sorted(set(CONTENT_INDICATORS + PATH_INDICATORS))
    (OUT / "ioc-indicators.txt").write_text("\n".join(indicator_lines) + "\n")

    roots = list(args.roots)
    if args.log_root:
        roots.append(args.log_root)
    matches = _scan_roots(roots)
    if matches:
        (OUT / "ioc-scope-matches.txt").write_text("\n".join(matches) + "\n")
        print(f"[!] Found {len(matches)} IOC matches; details written under {OUT}")
        return 1
    print(f"[+] No IOC matches found; indicator inventory written under {OUT}")
    return 0

if __name__ == "__main__":
    try:
        sys.exit(main())
    except Exception as exc:
        print(f"[-] Execution failure: {exc}", file=sys.stderr)
        sys.exit(2)

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope_2.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope_2.py
scripts/local_repository_and_exported_telemetry_scope_2.py opens in a new tabPython
#!/usr/bin/env python3
"""Generic IOC scope scanner for litespeed-cpanel-plugin-cve-2026-54420-kev.

Searches repository trees and exported logs for literal IOC values from iocs.json.
Exit codes:
  0: no matches
  1: one or more indicators matched
  2: execution error
"""
import argparse
import fnmatch
import os
import sys
from pathlib import Path

OUT = Path(os.environ.get("OUT", "hp-litespeed-cpanel-plugin-cve-2026-54420-kev-ioc-scope"))
CONTENT_INDICATORS = [
  "generateEcCert",
  "packageUserSize",
  "cert_action_entry .*geneccert",
  "LiteSpeed"
]
PATH_INDICATORS = [
  "/usr/local/cpanel/logs/",
  "/var/cpanel/logs/"
]
EXCLUDE_DIRS = {".git", "node_modules", "vendor", "dist", "build", ".venv", "__pycache__"}

def _iter_files(root):
    root = Path(root)
    if not root.exists():
        return
    if root.is_file():
        yield root
        return
    for current, dirs, files in os.walk(root):
        dirs[:] = [d for d in dirs if d not in EXCLUDE_DIRS]
        for name in files:
            yield Path(current) / name

def _path_matches(path):
    text = str(path)
    matches = []
    for indicator in PATH_INDICATORS:
        if not indicator:
            continue
        if indicator.startswith(("/", "~")):
            candidate = Path(os.path.expanduser(indicator))
            if candidate.exists() and path == candidate:
                matches.append(indicator)
        if indicator in text or fnmatch.fnmatch(text, indicator) or fnmatch.fnmatch(path.name, indicator):
            matches.append(indicator)
    return matches

def _content_matches(path):
    try:
        content = path.read_text(errors="ignore")
    except Exception:
        return []
    return [indicator for indicator in CONTENT_INDICATORS if indicator and indicator in content]

def _scan_roots(roots):
    matches = []
    for root in roots:
        if not root:
            continue
        for path in _iter_files(root):
            for indicator in _path_matches(path):
                matches.append(f"{path}: path matched {indicator!r}")
            for indicator in _content_matches(path):
                matches.append(f"{path}: content matched {indicator!r}")
    return matches

def main():
    parser = argparse.ArgumentParser(description="Scan files and logs for Halting Problems IOC values")
    parser.add_argument("roots", nargs="*", default=["."], help="File or directory roots to scan")
    parser.add_argument("--log-root", default=os.environ.get("LOG_ROOT", ""), help="Optional exported log directory")
    args = parser.parse_args()

    OUT.mkdir(parents=True, exist_ok=True)
    indicator_lines = sorted(set(CONTENT_INDICATORS + PATH_INDICATORS))
    (OUT / "ioc-indicators.txt").write_text("\n".join(indicator_lines) + "\n")

    roots = list(args.roots)
    if args.log_root:
        roots.append(args.log_root)
    matches = _scan_roots(roots)
    if matches:
        (OUT / "ioc-scope-matches.txt").write_text("\n".join(matches) + "\n")
        print(f"[!] Found {len(matches)} IOC matches; details written under {OUT}")
        return 1
    print(f"[+] No IOC matches found; indicator inventory written under {OUT}")
    return 0

if __name__ == "__main__":
    try:
        sys.exit(main())
    except Exception as exc:
        print(f"[-] Execution failure: {exc}", file=sys.stderr)
        sys.exit(2)

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%1CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.
blog.litespeedtech.comSecurity Researcher95%1CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.
nvd.nist.govSecurity Researcher95%1CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.