LiteSpeed cPanel Plugin Symlink Escalation to Root Under Active Exploitation (CVE-2026-54420)

Scope: LiteSpeed cPanel Plugin Prior to Version 2.4.8 (Bundled in LiteSpeed WHM Plugin Prior to 5.3.2.0) on CloudLinux/CageFS Shared Hosting

Severity: High

CISA added CVE-2026-54420 to its KEV catalog on June 16, 2026 with a June 18 remediation deadline, following LiteSpeed's own confirmation that active exploitation has been occurring since May 2026 on shared hosting servers running CloudLinux or CageFS. The flaw allows any tenant with FTP or web shell access to craft malicious symlinks that the plugin mishandles, bypassing CageFS isolation boundaries and escalating to root, giving the attacker full control of the entire server and every other tenant's data on it. This is especially critical in shared hosting environments common among Ugandan web hosting providers, where a single compromised low-privilege account can result in mass compromise of hundreds of co-hosted websites. Administrators should immediately upgrade to LiteSpeed WHM Plugin 5.3.2.0 or later (bundled with cPanel plugin 2.4.8), run the IOC check command against cPanel logs to assess prior exploitation, and audit for dormant or unauthorized accounts.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.