"This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8," LiteSpeed warned.
CVE-2026-54420 and a related cPanel plugin flaw, CVE-2026-48172
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to secure servers against an actively exploited LiteSpeed cPanel user‑end plugin vulnerability tracked as CVE-2026-54420. Separately, a high‑severity weakness tracked as CVE-2026-48172 — reported by Namecheap — stems from a "UNIX symlink following" flaw and affects all user‑end plugin versions before 2.4.8.
According to the published advisory, the Namecheap‑reported flaw allows an attacker who already has FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS. LiteSpeed flagged this issue as actively exploited in early June and issued urgent security updates.
CISA's three‑day directive under BOD 26‑04
On Monday, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV) and used Binding Operational Directive (BOD) 26‑04 to require Federal Civilian Executive Branch (FCEB) agencies to remediate within three days. BOD 26‑04, issued last Wednesday and revoking older directives BOD 19‑02 and BOD 22‑01, directs agencies to prioritize patching based on the risk of exploitation.
CISA listed specific risk factors for prioritization: whether a flaw appears in the KEV catalog, whether the asset is publicly exposed online, whether exploitation can be automated for large‑scale attacks and whether successful exploitation grants partial or total control of the targeted system. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. CISA further advised agencies to "Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable."
LiteSpeed's mitigation steps and forensic guidance
LiteSpeed instructed users to update the cPanel user‑end plugin — which is bundled with the WHM plugin — to the latest available version and released urgent updates after flagging active exploitation. To help administrators detect potential compromises, LiteSpeed provided a command to search cPanel logs for signs of exploitation:
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
"If this command results in any output, the vulnerability may have been exploited on your server. [...] To determine any damage done, examine the system logs for any actions taken by the detected IPs," LiteSpeed said.
What this means for FCEB agencies, hosting providers, and security teams
- FCEB agencies: Agencies must treat the KEV listing and the three‑day remediation window as mandatory under BOD 26‑04, evaluate internet exposure of affected assets and apply updates or discontinue use where mitigations are unavailable.
- Hosting providers and shared‑hosting operators: Providers running CloudLinux/CageFS and cPanel user‑end plugins prior to 2.4.8 must install LiteSpeed's updates urgently and run the provided grep to identify potential prior exploitation and the IPs involved.
- Security teams and incident responders: Teams should review system logs for detected IPs and investigate any output from the suggested search. CISA's guidance places cloud services under additional scrutiny: follow BOD 26‑04 cloud guidance or consider discontinuing the product if no adequate mitigations exist.
Detection shortfalls and the broader risk environment
The advisory underscores a larger detection problem. The bulletin cites a statistic from a Picus whitepaper: security teams log 54% of successful attacks but alert on just 14%, leaving many intrusions to "move through your environment unseen." In an environment where privilege‑escalation bugs can quickly yield root access, undetected lateral movement can magnify initial compromises into full server takeovers.
The record in this advisory is straightforward: urgent updates are available, CISA has elevated the flaw into its KEV catalog and federal agencies face a three‑day compliance clock under BOD 26‑04. Administrators running affected cPanel user‑end plugin versions before 2.4.8 should update immediately, run the LiteSpeed log search, and examine any resulting IP activity. CISA's guidance — to remediate, to assess internet exposure, or to discontinue use if mitigations are lacking — frames the policy and operational choices now on the table.
