Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root
CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.
- Check
- Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
- Affected
- Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
- Fix
- Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.