CISA Adds Another Actively Exploited LiteSpeed cPanel Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency has placed a high-severity vulnerability in the LiteSpeed cPanel user-end plugin into its Known Exploited Vulnerabilities catalog and directed federal agencies to apply fixes inside three days.

CISA sets three-day patching deadline for federal systems. On June 16, 2026, CISA added CVE-2026-54420 to the KEV catalog. Federal Civilian Executive Branch agencies must secure their systems by June 19 under Binding Operational Directive 26-04.

BOD 26-04 was issued last Wednesday, revoking earlier directives 19-02 and 22-01. It requires agencies to prioritize patching based on exploitation risk factors including KEV listing, public exposure, automation potential, and control granted to attackers.

Vulnerability allows root privilege escalation on shared hosting. Tracked as CVE-2026-54420, the flaw stems from a 'UNIX symlink following' weakness. It affects all LiteSpeed cPanel user-end plugin versions before 2.4.8 and was reported by Namecheap.

Attackers with FTP or web shell access can escalate privileges to root on servers running CloudLinux or CageFS. LiteSpeed flagged the vulnerability as actively exploited in early June and released urgent updates.

LiteSpeed provides detection command for compromised servers. Administrators can run the command "grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null" to check for signs of exploitation targeting CVE-2026-48172. "If this command results in any output, the vulnerability may have been exploited on your server," LiteSpeed said. "To determine any damage done, examine the system logs for any actions taken by the detected IPs. This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8."

Agency highlights broader risks to federal enterprise. CISA stated "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." Agencies must follow applicable BOD 26-04 guidance for cloud services or discontinue use if mitigations are unavailable.

Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to patching guidelines. Last month, CISA warned federal agencies to patch another LiteSpeed cPanel vulnerability (CVE-2026-48172), which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.