CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalog on June 16, and the patch clock for federal agencies runs out today, June 18. If you operate shared hosting on LiteSpeed plus CloudLinux, this one belongs at the top of the queue: it is a local privilege escalation that turns any confined tenant into root on the host.

What happened

CVE-2026-54420 (CVSS 8.5) is a flaw in LiteSpeed’s user-end cPanel plugin. A user who already has a foothold on a shared box — valid FTP credentials, or a web shell dropped through a vulnerable customer site — can abuse the plugin to escalate from their unprivileged account all the way to root. On a multi-tenant server that is the whole ballgame: one compromised hosting account becomes full control of every site on the machine.

The bug lives in how the plugin handles symlinks supplied by an unprivileged user on a server running CloudLinux’s CageFS. CageFS is the isolation layer that gives each customer a virtualized, locked-down view of the filesystem, and breaking out of it is exactly the boundary shared hosting is built on. The plugin performs privileged operations on paths a tenant controls; by planting symlinks and then chaining internal plugin API calls in an order the normal UI never produces, an attacker redirects those privileged operations to targets outside their cage.

The exploitation signature

LiteSpeed and the cPanel team published a clean detection signature. The attack chains two JSON-API functions — generateEcCert immediately followed by packageUserSize for the same user — fired 7 to 10 times concurrently from a single source IP. Legitimate UI flows never pair those two calls, and never run them in parallel, so the pattern is a reliable indicator of compromise rather than a noisy heuristic.

The timeline is compressed and familiar. Namecheap reported the issue to LiteSpeed on May 31. cPanel pushed an emergency uninstall of the user-end plugin the same day, LiteSpeed shipped a fix on June 1, the CVE was formally assigned June 14, and CISA confirmed in-the-wild exploitation with the June 16 KEV listing and a two-day remediation deadline. The fix has existed for over two weeks — but unpatched shared-hosting fleets are a large, slow-moving target, which is precisely why it is being exploited now.

Am I affected?

Vulnerable: the LiteSpeed user-end cPanel plugin before v2.4.8 (as shipped in LiteSpeed WHM plugin before v5.3.2.0) on a CloudLinux/CageFS server. The WHM plugin on its own is not affected — this is specifically the user-end component installed into customer accounts.

To check whether the signature has already fired, LiteSpeed provides this grep across the cPanel logs:

1

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

No output means you are clear. Output is not automatically a compromise — confirm by looking for the generateEcCert-then-packageUserSize pairing for the same user, the 7–10 concurrent calls, and a single IP hammering both endpoints. If it matches, pull system logs for everything those IPs touched.

What to do right now

Update the WHM plugin, which carries the fixed user-end plugin v2.4.8:

1

wget -O- https://litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh | sh

If you cannot patch immediately, remove the user-end plugin entirely — that closes the hole on its own:

1

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

The target state is LiteSpeed WHM plugin v5.3.2.1 (cPanel plugin v2.4.8) or later. One caveat for hosting providers: any box that matches the log signature should be treated as a confirmed root-level compromise and rebuilt, not cleaned. Once an attacker reaches root on the host, tenant isolation tells you nothing about what else they touched, and a single shared server can mean hundreds of breached sites.

References