LiteSpeed cPanel Flaw Gives FTP Users Root Access

CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalog on June 15, 2026, after confirming active attacks against shared hosting servers running the LiteSpeed cPanel plugin. The symlink-following vulnerability allows any user with FTP or web shell access to escalate privileges to root—a worst-case scenario for multi-tenant hosting environments.

Federal agencies received an unusually aggressive June 18 deadline, just three days after the KEV addition.

Technical Breakdown

The flaw affects LiteSpeed cPanel plugin versions before 2.4.8 (distributed in LiteSpeed WHM Plugin before 5.3.2.0). According to The Hacker News, the vulnerability stems from improper handling of symbolic links in shared hosting configurations using CloudLinux or CageFS.

In a typical shared hosting setup, CageFS isolates each user's filesystem to prevent one tenant from accessing another's files. CVE-2026-54420 breaks this isolation. An attacker with basic FTP credentials can craft symlinks that the LiteSpeed plugin follows with elevated privileges, ultimately achieving root access on the underlying server.

The CVSS 8.5 score reflects the serious impact: a single compromised low-privilege account can lead to complete server takeover, potentially exposing every website and database hosted on that machine.

Discovery and Disclosure

Namecheap, one of the largest domain registrars and hosting providers, reported the vulnerability to LiteSpeed on May 31, 2026. LiteSpeed released a patched version on June 1, with the CVE identifier officially assigned on June 14—a day before CISA's KEV addition confirmed wild exploitation.

The tight timeline between patch release and confirmed attacks suggests either rapid exploit development or prior knowledge of the vulnerability among threat actors.

Detecting Compromise

LiteSpeed provided specific detection guidance. Administrators should examine logs for suspicious API call patterns, specifically generateEcCert followed by packageUserSize calls for the same user account. Legitimate traffic shows these calls sequentially, while exploitation attempts typically produce 7-10 concurrent requests—a clear anomaly.

Security teams should also audit recent symlink creation in user directories and look for unexpected privilege changes or new root-level processes spawned from user contexts.

Impact on Hosting Providers

The vulnerability's implications extend beyond individual servers. Shared hosting providers often run thousands of customer sites on a single physical or virtual machine. One compromised tenant—even through stolen FTP credentials from phishing attacks—could gain access to every other customer's data.

This isn't the first time cPanel plugins have landed in CISA's KEV. We covered a previous LiteSpeed escalation affecting different code paths, suggesting the plugin's privilege handling warrants systematic review.

Patching and Mitigation

1. Update immediately to LiteSpeed WHM Plugin v5.3.2.1 or higher (includes cPanel plugin v2.4.8)
2. Audit FTP accounts and disable any unnecessary or orphaned access
3. Review symlinks in user home directories for suspicious patterns
4. Enable comprehensive logging for API calls to detect exploitation attempts
5. Consider temporary isolation of unpatched servers from production networks

Hosting providers running CloudLinux should verify CageFS integrity and consider additional hardening of user isolation boundaries while patching is in progress.

The broader pattern here is concerning: shared hosting infrastructure—once considered a solved problem—continues producing privilege escalation paths. Organizations trusting sensitive data to shared hosting environments should weigh the cost savings against these recurring risks.