CVE-2026-54420

Vulnerability

The vulnerability resides in LiteSpeed's user-end cPanel plugin (also distributed as part of LiteSpeed WHM PlugIn). Versions prior to 2.4.8 (WHM plugin prior to 5.3.2.0) mishandle symlinks provided by a user with FTP or web shell access on shared hosting servers running CloudLinux/CageFS [1][2]. This allows a low-privileged user to trigger a privilege escalation path.

Exploitation

An attacker who already has FTP or web shell access on a shared hosting server can exploit this by providing symlinks that the plugin mishandles. According to the advisory, exploitation involves chaining the generateEcCert and packageUserSize API calls in quick succession (7–10 concurrent calls from the same source IP) [2]. This sequence is atypical of legitimate user interface flows, which do not chain these functions. The attacker's malicious symlinks likely cause the plugin to perform file operations with elevated privileges.

Impact

Successful exploitation allows the attacker to escalate privileges to root on the shared hosting server [2]. This grants full control over the server, enabling data theft, modification of hosted content, installation of backdoors, and further compromise of all accounts on the server.

Mitigation

The fix is included in LiteSpeed cPanel plugin version 2.4.8, bundled with LiteSpeed WHM plugin version 5.3.2.1 [2]. Users should update immediately using the provided command: wget -O- https://litespeedtech.com/packages/cpane… (full URL in reference) [2]. After updating, system administrators should check for signs of exploitation using the command grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null [2]. No workaround is available; upgrading is essential.