LiteSpeed cPanel Plugin Flaw Lets Shared Hosting Users Escalate to Root
LiteSpeed disclosed and patched CVE-2026-54420, a high-severity privilege-escalation flaw in the LiteSpeed cPanel plugin that can let a low-privileged user gain root access on shared hosting servers. The bug affects plugin versions before 2.4.8 and stems from improper handling of user-supplied symlinks, a weakness classified as CWE-61. The issue is especially dangerous on CloudLinux/CageFS shared hosting deployments, where a single compromised tenant with FTP or web-shell access could potentially jeopardize other hosted sites on the same server.
The vulnerability has been reported as actively exploited in the wild, with exploitation observed in May 2026, and carries a CVSS 8.5 severity rating. LiteSpeed said the fix is included in cPanel plugin version 2.4.8, bundled with WHM Plugin v5.3.2.1, and urged administrators to upgrade immediately or temporarily remove the user-end plugin if patching is not yet possible. Defenders were also advised to review cPanel logs for suspicious activity, including repeated requests to certificate-related endpoints from a single IP address.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-54420 vulnerability details are publicly disclosed
Public reporting described CVE-2026-54420 as a privilege escalation flaw in LiteSpeed cPanel plugin versions before 2.4.8 caused by improper handling of user-provided symlinks. Reports also noted the issue was identified by Namecheap’s team and urged administrators to patch or disable the user-end plugin temporarily.
CISA adds CVE-2026-54420 to KEV catalog
CISA added LiteSpeed cPanel plugin flaw CVE-2026-54420 to its Known Exploited Vulnerabilities catalog and, under Binding Operational Directive 22-01, ordered federal agencies to remediate it by June 18, 2026. The listing cited confirmed active exploitation and affected plugin versions prior to 2.4.8.
Attackers exploit CVE-2026-54420 in the wild during May 2026
The LiteSpeed cPanel plugin symlink privilege escalation flaw was reportedly exploited in the wild in May 2026. The bug allows a low-privileged user with FTP or web shell access on shared hosting servers running CloudLinux/CageFS to escalate to root.
LiteSpeed releases cPanel plugin security update 2.4.8
LiteSpeed published a security update for its cPanel plugin addressing the privilege escalation issue. The fix was released in cPanel plugin version 2.4.8 and bundled with WHM Plugin v5.3.2.1.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation
cybersecuritynews.com
Open sourceJoomla, LiteSpeed Vulnerabilities Exploited in Attacks - SecurityWeek
securityweek.com
Open sourceU.S. CISA adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceLiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild
cybersecuritynews.com
Open sourceLiteSpeed cPanel Privilege Escalation Exploited in Wild
securityonline.info
Open sourceCISA warns of another cPanel plugin flaw exploited in attacks
bleepingcomputer.com
Open sourceCVE-2026-54420 - LiteSpeed cPanel Plugin Symlink Privilege Escalation
cvefeed.io
Open sourceCVE Record: CVE-2026-54420
cve.org
Open sourceSecurity Update for LiteSpeed cPanel Plugin ⋆ LiteSpeed Blog
blog.litespeedtech.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LiteSpeed cPanel Plugin Flaw Enables Privilege Escalation to Root
A privilege-escalation vulnerability tracked as **`CVE-2026-48172`** affects the LiteSpeed User-End cPanel Plugin in versions before **`2.4.5`** and was reportedly exploited in the wild. The flaw is tied to improper handling of Redis enable/disable functionality and could allow an attacker to escalate privileges, potentially reaching **root** access. The related **LiteSpeed WHM Plugin** was identified as the parent plugin but was not affected. In response, cPanel said the LiteSpeed plugin was automatically removed during a nightly update, indicating active mitigation for affected environments. Defenders were advised to review cPanel log directories for requests containing: ```text cpanel_jsonapi_func=redisAble ``` and to investigate associated IP addresses and broader system logs to determine whether exploitation attempts or successful compromise occurred.
Jun 1, 2026
Critical cPanel & WHM Auth Bypass Exploited for Server Takeover
WebPros cPanel disclosed and patched a critical authentication bypass flaw in **cPanel & WHM** and **WP Squared**, now tracked as `CVE-2026-41940` with a **CVSS 9.8** score. The bug affects all supported cPanel & WHM versions after `11.40` prior to fixed releases, and reporting indicates some unsupported versions are likely vulnerable as well. Researchers said the issue stems from improper session handling tied to a **CRLF injection** in the login flow, allowing unauthenticated remote attackers to poison session data and gain administrator or root-level access to exposed hosting control panels. cPanel released emergency updates across supported branches, published detection guidance, and advised administrators to force updates, restart `cpsrvd`, and investigate session files and logs for signs of compromise. Multiple sources reported the flaw was **actively exploited in the wild** before patches were issued, with hosting providers such as **Namecheap** and **KnownHost** taking emergency action by restricting access to management ports like `2083` and `2087` while deploying fixes. **CISA** added `CVE-2026-41940` to its **Known Exploited Vulnerabilities** catalog and ordered federal agencies to remediate quickly, while national cyber agencies in Canada, Austria, and Belgium also warned of the risk. Public technical analysis, proof-of-concept code, and exploit tooling released after disclosure increased the likelihood of broad opportunistic attacks against internet-exposed cPanel systems, which researchers estimated number in the hundreds of thousands to more than a million, raising the risk of website compromise, credential theft, ransomware, phishing, and multi-tenant hosting breaches.
Jun 12, 2026
Critical LiteSpeed Cache Flaw Lets Attackers Create WordPress Admin Accounts
A **critical vulnerability** in the LiteSpeed Cache plugin for WordPress can let attackers create new user accounts — including **administrator** accounts — on affected sites, potentially leading to full site takeover. The issue affects **unpatched versions prior to `6.4`** when the plugin is deployed on **Linux-based systems**; based on available information, the flaw is **not currently believed to be exploitable on Windows-based deployments**. The plugin developer has released a fix in **version `6.4`**, and authorities urged organizations and individuals using WordPress with LiteSpeed Cache to update immediately because **no alternative mitigations are available**. While exploitation of this specific flaw had **not been observed** at the time of reporting, prior vulnerabilities in the same product have been **widely exploited**, increasing the urgency of patching exposed sites.
Apr 27, 2026