⚠️ LiteSpeed cPanel Plugin Flaw Lets Hackers Gain Root Access — Patch Now

16 June 2026 — CISA has added a high-severity vulnerability in the LiteSpeed cPanel plugin to its Known Exploited Vulnerabilities catalog, warning that it is being actively exploited.

The Vulnerability

CVE-2026-54420 (CVSS 8.5 — High) allows a user with FTP or web shell access to escalate their privileges to root on shared hosting servers running CloudLinux or CageFS.

The issue is in the LiteSpeed cPanel plugin (versions before 2.4.8) — it mishandles symlinks, which attackers can abuse to break out of their restricted environment and gain full control of the server.

How Bad Is This?

  • CVSS 8.5 — High severity
  • Allows any FTP or web shell user to become root
  • Affects shared hosting servers running CloudLinux/CageFS
  • Namecheap discovered the issue and reported it on May 31, 2026

Check If Your Server Is Compromised

Run this command:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
  • No output = server likely not affected
  • Any output = further investigation needed

LiteSpeed warns that legitimate UI flows don't chain generateEcCert immediately with packageUserSize, and legitimate users make one call at a time — attackers typically make 7-10 concurrent calls.

Fixed Version

Update to LiteSpeed WHM Plugin v5.3.2.1 (bundled with cPanel plugin v2.4.8) or higher.

What UK Hosting Customers Should Do

  1. Contact your hosting provider — ask if they use LiteSpeed and whether they've patched
  2. Check your account — look for unusual files, unexpected FTP connections
  3. Secure FTP access — use strong passwords and SFTP instead of plain FTP
  4. Monitor logs — watch for suspicious symlink creation or privilege escalation attempts

Source: The Hacker News / CISA / LiteSpeed