The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has given U.S. authorities companies three days to safe their servers towards an actively exploited vulnerability (CVE-2026-54420) within the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172, this high-severity vulnerability was reported by Namecheap and permits attackers with FTP or net shell entry to escalate privileges to root on shared internet hosting servers operating CloudLinux/CageFS.
This vulnerability impacts all user-end plugin variations earlier than 2.4.8 and stems from a ‘UNIX symlink following’ weak spot.
LiteSpeed flagged it as actively exploited in early June and launched pressing safety updates, warning customers to replace the cPanel user-end plugin (bundled with the WHM plugin) to the most recent model.
Customers are suggested to make use of the next command to test if their server is susceptible to assaults concentrating on the CVE-2026-48172 vulnerability:
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/native/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
“If this command ends in any output, the vulnerability could have been exploited in your server. [..] To find out any harm carried out, study the system logs for any actions taken by the detected IPs,” LiteSpeed stated. “This vulnerability is being actively exploited, and poses a danger for all user-end plugin variations previous to 2.4.8.”
On Monday, CISA additionally added that the vulnerability to its Recognized Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Government Department (FCEB) companies to safe their techniques inside three days, as required by Binding Operational Directive (BOD) 26-04.
BOD 26-04 was issued final Wednesday (revoking the older BODs 19-02 and 22-01) and requires U.S. federal companies to prioritize patching based mostly on the chance of exploitation.
Key components to think about when assessing the dangers embrace whether or not the safety flaw is included in CISA’s KEV catalog, whether or not the asset is publicly uncovered on-line, whether or not exploitation will be automated for large-scale assaults, and whether or not profitable exploitation grants attackers partial or whole management of the focused system.
“Any such vulnerability is a frequent assault vector for malicious cyber actors and poses important dangers to the federal enterprise,” the cybersecurity company warned yesterday. “Observe relevant BOD 26-04 steerage for cloud providers or discontinue use of the product if mitigations are unavailable. Stakeholders are chargeable for evaluating every asset’s web publicity and guaranteeing adherence to BOD 26-04 patching tips.”
Final month, CISA warned federal companies to patch one other LiteSpeed cPanel vulnerability (CVE-2026-48172), which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by means of your atmosphere unseen.
The Picus whitepaper exhibits how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.
