A symlink-following vulnerability in LiteSpeed's user-end cPanel plugin (CVE-2026-54420, CVSS 8.5) lets any tenant with FTP or web shell access escape the CloudLinux/CageFS container and escalate to root on the host server. The flaw has been exploited in the wild since May 2026. CISA added it to its Known Exploited Vulnerabilities catalog on June 15 with a federal remediation deadline of June 18. The fix is in cPanel Plugin 2.4.8 / WHM Plugin 5.3.2.1.

What the Vulnerability Is

LiteSpeed's cPanel plugin processes file paths and symlinks supplied by individual hosting account users. When a user with FTP access or a web shell places a crafted symlink inside their account, the LiteSpeed plugin follows the link while running as root — without verifying that the resolved path stays inside the user's CageFS jail. The symlink can point to any file on the underlying host: /etc/passwd, SSH authorized keys, cron jobs, or executable binaries. Because the plugin operates with root privileges to manage LiteSpeed configuration, the attacker can read or overwrite files that should be completely off-limits. Observed attacks use the technique to write a new root-level cron entry or add a public SSH key, achieving persistent root access to the entire server — and by extension, every other hosting account on it.

Why It Matters

  • Blast radius is the whole server. A single compromised tenant (or one rented cheaply by an attacker) can take over the shared server and every site hosted on it, including their databases and emails.
  • CloudLinux/CageFS was supposed to prevent exactly this. CageFS virtualizes the user's view of the filesystem, and its entire value proposition is container isolation. This flaw bypasses that boundary via the LiteSpeed plugin.
  • Actively exploited since May. CISA confirmed in-the-wild exploitation; attacks are not theoretical.
  • Public PoC available. A working exploit was published on GitHub, lowering the bar for any attacker targeting unpatched shared hosts.
  • CISA KEV with a 3-day federal deadline signals high urgency.

Am I Affected?

You are exposed if you run a shared hosting server using cPanel + CloudLinux/CageFS, the LiteSpeed cPanel plugin is installed and earlier than 2.4.8, and any tenant on that server has FTP access (or any tenant account was given a web shell through prior compromise). Hosting companies and VPS owners running cPanel-based shared environments should treat this as urgent. End users on shared hosting should ask their host whether they've patched — they cannot patch this themselves.

What to Do About It

1. Update the LiteSpeed cPanel plugin to 2.4.8 or later

Run the upgrade from the WHM command line, or via WHM → Plugins → LiteSpeed Web Server → Check for Updates:

/usr/local/cpanel/whostmgr/docroot/cgi/addon_lsws.cgi upgrade

Confirm the installed version:

cat /usr/local/lsws/admin/html.open/lib/lsws.version
# Alternatively, check the WHM LiteSpeed Plugin page

The fix is bundled in WHM Plugin 5.3.2.1, which ships cPanel Plugin 2.4.8.

2. Check for existing compromise

LiteSpeed provides a specific command to scan for symlink abuse — run it immediately:

/usr/local/cpanel/whostmgr/docroot/cgi/addon_lsws.cgi checksymlinks

Review the output for any symlinks pointing outside the expected CageFS paths. Also audit recently added cron jobs and SSH authorized keys at the root level:

crontab -l -u root
cat /root/.ssh/authorized_keys

Look for any entries added in May or June 2026 you don't recognize.

3. Audit FTP access and tenant accounts

# List all cPanel accounts with recent login activity
/usr/local/cpanel/bin/cpuwatch 99 last -n 50

4. Harden CageFS

Even after patching, reinforce CageFS isolation so no stale mount points remain that could be abused:

cagefsctl --force-update
cagefsctl --remount-all

5. If you confirm root-level compromise

  • Isolate the server from the network immediately.
  • Rotate all root and WHM passwords.
  • Audit all cPanel accounts for additional web shells or backdoors.
  • Notify affected customers — if the server was compromised, all accounts on it must be treated as potentially breached.
  • Consider a full rebuild from a known-clean snapshot if the timeline allows.

Quick-Win Checklist

  • Updated LiteSpeed cPanel plugin to ≥ 2.4.8 / WHM Plugin ≥ 5.3.2.1.
  • Ran LiteSpeed's built-in symlink check command.
  • Audited /root/.ssh/authorized_keys for unrecognized entries.
  • Audited the root crontab for unrecognized entries.
  • Ran cagefsctl --force-update && cagefsctl --remount-all.
  • Notified hosted customers if compromise is confirmed.

Sources