INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
cPanel plugin flaw exploited for root privilege escalation
| 2026-06-16 08:53 CRITICAL HIGHExecutive Summary AI-generated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding the exploitation of an actively used vulnerability in LiteSpeed cPanel user-end plugins, posing significant risks to federal enterprises. The CVE-2026-48172 flaw allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS. CISA warns that users must update their server software within three days of receiving the alert and advises against using a specific command to check for vulnerability, as it may indicate exploitation. The agency has also issued a binding operational directive requiring federal agencies to prioritize patching based on risk, with older directives revoked.
Technical Mitigations AI-generated
* Regularly update and patch all plugins, including cPanel user-end plugin (bundled with WHM) to the latest version, as recommended by CISA.
* Use a web application firewall (WAF) or intrusion detection system (IDS) to detect and prevent attacks targeting CVE-2026-48172 vulnerability in LiteSpeed cPanel plugins.
* Implement secure authentication and authorization mechanisms to limit access to shared hosting servers running CloudLinux/CageFS, such as using IP blocking or rate limiting on FTP and web shell access.
* Monitor system logs for any suspicious activity, including actions taken by detected IPs, to detect potential exploitation of CVE-2026-48172 vulnerability.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20262CVE-2026-20262
CVE-2026-48172CVE-2026-48172
CVE-2026-54420CVE-2026-54420
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
governmentgovernment
Incident Timeline
2026/05/17
Threat actors used a known exploit of the LiteSpeed cPanel plugin to target U.S. CISA.
Click on any entity below to view its context and source!
attribution
LiteSpeed cPanel
"
Last month, CISA warned federal agencies
to patch another LiteSpeed cPanel vulnerability
(CVE-2026-48172), which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.
attribution
CVE-2026-48172
"
Last month, CISA warned federal agencies
to patch another LiteSpeed cPanel vulnerability
(CVE-2026-48172), which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.
attribution
CISA
"
Last month, CISA warned federal agencies
to patch another LiteSpeed cPanel vulnerability
(CVE-2026-48172), which unauthenticated attackers exploited to execute arbitrary scripts with root privileges.
May 31, 2026
Threat actors exploited known vulnerabilities in Cisco Catalyst and LiteSpeed cPanel plugins.
2026/06/15
Threat actors exploited a vulnerability in Cisco Catalyst network equipment and LiteSpeed cPanel plugin to gain unauthorized access.
Jun 16, 2026
Threat actors exploited vulnerabilities in Cisco Catalyst network equipment and LiteSpeed cPanel plugin to gain unauthorized access.
2026/06/16
LiteSpeed cPanel plugin vulnerabilities affect all user-end plugin versions before 2.4.8 and allow attackers with FTP or web shell access to gain root privileges.
Click on any entity below to view its context and source!
organisation
CVSS
The two flaws added to the catalog are:
CVE-2026-20262
(CVSS score of 6.5)
organisation
Cisco Catalyst SD-WAN
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
CVE-2026-54420
(CVSS score of 8.5)
organisation
Path Traversal Vulnerability
CVE-2026
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
CVE-2026-54420
(CVSS score of 8.5)
organisation
LiteSpeed
The second issue added to the catalog, CVE-2026-54420, is a privilege-escalation vulnerability affecting LiteSpeed’s cPanel plugin on shared hosting servers running CloudLinux or CageFS.
LiteSpeed flagged it as actively exploited in early June and
released urgent security updates
, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.
It's currently not known how the vulnerability is being exploited in the wild and if any of those attacks have been successful, but LiteSpeed has
urged
users to run the command below to check if their servers are affected -
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
If the grep command does not show any output, it indicates the server has not been impacted by the issue.
organisation
cPanel
The second issue added to the catalog, CVE-2026-54420, is a privilege-escalation vulnerability affecting LiteSpeed’s cPanel plugin on shared hosting servers running CloudLinux or CageFS.
LiteSpeed flagged it as actively exploited in early June and
released urgent security updates
, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.
Users are advised to upgrade to LiteSpeed WHM Plugin v5.3.2.1 (bundled w/ cPanel plugin v2.4.8) or higher to patch the vulnerability.
organisation
CloudLinux
The second issue added to the catalog, CVE-2026-54420, is a privilege-escalation vulnerability affecting LiteSpeed’s cPanel plugin on shared hosting servers running CloudLinux or CageFS.
It allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS.
organisation
WHM
LiteSpeed flagged it as actively exploited in early June and
released urgent security updates
, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.
organisation
LiteSpeed WHM Plugin v5.3.2.1
Users are advised to upgrade to LiteSpeed WHM Plugin v5.3.2.1 (bundled w/ cPanel plugin v2.4.8) or higher to patch the vulnerability.
LiteSpeed advises administrators to check server logs for indicators of compromise and upgrade to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later.
organisation
FTP
It allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS.
The flaw stems from improper handling of user-controlled symbolic links, allowing attackers with FTP or web shell access to gain root privileges.
Tracked as
CVE-2026-48172
, this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
infrastructure
2.4.8
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.”
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
"This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8."
organisation
UNIX
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
organisation
CloudLinux/CageFS
Tracked as
CVE-2026-48172
, this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
"LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS," according to a
description
of the vulnerability in CVE.org.
organisation
IP
Administrators should look for suspicious patterns such as consecutive
generateEcCert
and
packageUserSize
calls for the same user, multiple concurrent requests, and the same IP accessing both endpoints.
organisation
LiteSpeed WHM
"LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS," according to a
description
of the vulnerability in CVE.org.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
financial
04 BOD
"Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
organisation
UI
If there is any output, LiteSpeed has shared additional indicators to rule out any false positives -
generateEcCert immediately followed by packageUserSize for the same user (legitimate UI flows don't chain these)
7-10 concurrent calls per attempt (legitimate UI does one at a time)
June 18, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw in the LiteSpeed cPanel plugin to its Known Exploited Vulnerabilities catalog, requiring federal agencies by June 18, 2026.
Click on any entity below to view its context and source!
attribution
the LiteSpeed cPanel
CISA orders federal agencies to urgently fix the LiteSpeed cPanel plugin vulnerability by June 18, 2026.
attribution
Known Exploited
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
tactic
T1588.006 - Vulnerabilities
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
attribution
KEV
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
attribution
FCEB
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
attribution
Federal Civilian Executive Branch
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
attribution
Vulnerability /
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
tactic
T1584.004 - Server
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
general_metric
16 Jun
Ravie Lakshmanan
Jun 16, 2026
Vulnerability / Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026.
June 29, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch the Cisco Catalyst plugin vulnerability by June 29, 2026.
Click on any entity below to view its context and source!
target_region
United States
The US agency orders federal agencies to fix the Cisco Catalyst plugin vulnerability by June 29, 2026.
Tactical Metrics
Metrics
infrastructure
2.4.8
Software Version
Click for context!
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.”
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
"This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8."
Metrics
financial
4
Bod
"Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Intelligence Sources
The Hacker News
2026-06-16
BleepingComputer
2026-06-16
CISA warns of another cPanel plugin flaw exploited in attacks
BleepingComputer
Security Affairs
2026-06-16
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:28
Comprehensive Tactical Telemetry
Highly Correlated Entities
15x
organisation
Identified Entity
CVSS
entity
14x
attribution
Attributing Entity
LiteSpeed cPanel
authority
8x
timeline
Temporal Reference
June 29, 2026
date
3x
vulnerability
Exploited CVE
CVE-2026-20262
cve
2x
vulnerability
CVSS Score
6
score
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
general metric
%
54
%
Contextual Telemetry
Context Block
10 METRICS
target region
Target Country
United States
country
tactic
Cyber Operation Type
Privilege Escalation
tactic
infrastructure
Software Version
2.4.8
version
industry
Targeted Sector
Government
sector
general metric
Binding Operational Directive
26
binding operational directive
general metric
Older Bods
19
older bods
financial
Bod
4
bod
general metric
Score
8
score
general metric
Jun
16
jun
general metric
Concurrent
7
concurrent
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.