Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: litespeed (2 articles)Clear

Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root

CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.

Check
Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
Affected
Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
Fix
Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.

LiteSpeed cPanel Plugin CVE-2026-48172 actively exploited - root-level script execution, update to 2.4.7 / WHM 5.3.1.0

LiteSpeed Technologies has patched CVE-2026-48172, a privilege-escalation vulnerability in its cPanel plugin that lets a low-privileged cPanel user trick the plugin into running scripts as root. The flaw has been observed under active exploitation. The fix lands in cPanel plugin v2.4.7 bundled with WHM plugin 5.3.1.0. Operators who cannot patch immediately are advised to uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. This follows last month's actively exploited CVE-2026-41940 (CVSS 9.8) in cPanel itself, which threat actors used to drop Mirai variants and the Sorry ransomware strain. cPanel hosting providers and resellers are the primary targets.

Check
Inventory cPanel hosts running the LiteSpeed cPanel plugin. Confirm WHM plugin version and bundled cPanel plugin version. Search /var/log/messages for unexpected lscmctl invocations.
Affected
All LiteSpeed cPanel plugin versions before 2.4.7 (bundled with WHM plugin 5.3.1.0). Hosting providers and shared-hosting tenants where low-privileged cPanel users can run scripts are at highest risk.
Fix
Upgrade to LiteSpeed WHM plugin 5.3.1.0 (with bundled cPanel plugin 2.4.7) immediately. Temporary mitigation: uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.