CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation

Ravie LakshmananJun 16, 2026Vulnerability / Server Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.

The vulnerability in question is CVE-2026-54420 (CVSS score: 8.5), which has been described as a case of privilege escalation. It allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS.

“LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS,” according to a description of the vulnerability in CVE.org.

It’s currently not known how the vulnerability is being exploited in the wild and if any of those attacks have been successful, but LiteSpeed has urged users to run the command below to check if their servers are affected –

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

If the grep command does not show any output, it indicates the server has not been impacted by the issue. If there is any output, LiteSpeed has shared additional indicators to rule out any false positives –

• generateEcCert immediately followed by packageUserSize for the same user (legitimate UI flows don’t chain these)
• 7-10 concurrent calls per attempt (legitimate UI does one at a time)

Namecheap has been credited with bringing the issue to its attention on May 31, 2026. Users are advised to upgrade to LiteSpeed WHM Plugin v5.3.2.1 (bundled w/ cPanel plugin v2.4.8) or higher to patch the vulnerability.