CVE-2026-54420 exploited – CISA says an actively exploited LiteSpeed cPanel user-end plugin flaw (CVE-2026-54420, also tracked as CVE-2026-48172) is giving attackers a path from FTP or web shell access to root privileges on shared hosting servers running CloudLinux/CageFS. Federal agenc
It’s the kind of warning that doesn’t leave much room for debate: CISA has told U.S. government agencies they have three days to secure their servers after flagging an actively exploited vulnerability in a LiteSpeed cPanel user-end plugin.
The issue is tracked as CVE-2026-54420 and is also listed as CVE-2026-48172. CISA’s focus is on servers where LiteSpeed’s cPanel user-end plugin is installed, specifically in environments that are running CloudLinux/CageFS and have shared hosting configurations.
The vulnerability’s severity is high because it can turn access into control. Attackers who already have FTP or web shell access can use the flaw to escalate privileges to root on shared hosting servers. The weakness is described as a “UNIX symlink following” problem. a detail that matters because it points to why this can be weaponized quickly once adversaries find the right path on a target system.
CISA also notes that the flaw affects all versions of the cPanel user-end plugin before 2.4.8. LiteSpeed. for its part. said it flagged the bug as actively exploited in early June and then released urgent security updates—urging customers to update the cPanel user-end plugin. which is bundled with the WHM plugin. to the latest version.
To help administrators check whether their systems may already have been exposed, CISA included a command intended to spot signs of exploitation attempts targeting CVE-2026-48172. The recommended check is:
grep -rE ‘cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert’ /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
“If this command results in any output, the vulnerability may have been exploited on your server. [..] To determine any damage done, examine the system logs for any actions taken by the detected IPs,” LiteSpeed said. “This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.”.
For federal agencies, the technical instruction lands inside an even tighter enforcement timeline. On Monday, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV). That KEV listing orders Federal Civilian Executive Branch agencies to secure their systems within three days under Binding Operational Directive (BOD) 26-04.
BOD 26-04 was issued last Wednesday, revoking the older BODs 19-02 and 22-01. Its core requirement pushes agencies to prioritize patching based on the risk that a flaw is being actively exploited.
CISA also spelled out the practical factors teams should weigh when judging what to do next: whether the security flaw is included in CISA’s KEV catalog; whether the asset is publicly exposed online; whether exploitation can be automated for large-scale attacks; and whether successful exploitation could give attackers partial or total control of the targeted system.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. ” CISA warned yesterday. It urged agencies to follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders. the agency added. are responsible for evaluating each asset’s internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
The warning doesn’t arrive in isolation. Last month, CISA told federal agencies to patch another LiteSpeed cPanel vulnerability identified as CVE-2026-48172. That earlier flaw was exploited by unauthenticated attackers to execute arbitrary scripts with root privileges—another signal that shared hosting environments using cPanel-related components remain a high-value target.
The sequence is stark: a plugin that runs on widely used hosting infrastructure, a vulnerability that turns relatively limited access into root-level control, and an exploitation timeline that has already moved past the point where “wait and see” is a workable strategy for defenders.
CISA LiteSpeed cPanel WHM CloudLinux CageFS CVE-2026-54420 CVE-2026-48172 KEV BOD 26-04 cybersecurity shared hosting root privilege escalation UNIX symlink following
So if you have cPanel you’re basically doomed? Cool cool.
Three days?! That’s not even enough time to find the update button on the host side. Also I don’t get why it’s “root” from FTP… like FTP isn’t supposed to be that powerful, right?
Replying to Mark Johnson—nah it’s not cPanel in general, it’s a LiteSpeed plugin thing or whatever. But the article says symlink following and then root on shared hosting… so wouldn’t this mainly hit small mom and pop shared hosts? Feels like every shared host is basically one wrong link away from being owned.
They want people to run a grep command like that’s gonna magically tell you everything. Like if it outputs something, maybe it’s just normal logs from legit cert stuff? I feel like half these security warnings are written for people who already know how to SSH into /usr/local/cpanel/logs without panicking.