## Overview
CISA added CVE-2026-54420 to the KEV catalog on June 15, 2026. The vulnerability was actively exploited in May 2026 on shared hosting servers using CloudLinux/CageFS. This addition reflects confirmed real-world exploitation, triggering federal agency remediation deadlines.
## Technical Details
The LiteSpeed cPanel plugin (versions before 2.4.8, distributed in LiteSpeed WHM Plugin before 5.3.2.0) mishandles user-provided symbolic links. A user with FTP access or a web shell on a CloudLinux/CageFS server can manipulate symlinks to traverse directories. The flaw occurs when the plugin follows symlinks without proper validation during file operations.
## Impact
Attackers with FTP or web shell access on affected shared hosting servers gain unauthorized access to sensitive system files. This allows full server compromise, data exfiltration, and lateral movement. The vulnerability is particularly dangerous on shared hosting environments where multiple users share resources. Exploitation in May 2026 confirmed its viability for widespread attacks.
## Mitigation
Immediate action is required. Update the LiteSpeed WHM Plugin to version 5.3.2.0 or later. Administrators must verify all installations of the plugin and apply the update. No workarounds are recommended; the vendor has released a patch addressing the symlink handling flaw. Monitor for additional exploitation attempts targeting unpatched servers.
CSURFACE Threat Sensor