LiteSpeed cPanel plugin symlink attack (CVE-2026-54420)

Actively exploited in the wild - CVE-2026-54420 is a high-severity symlink-handling vulnerability in the LiteSpeed cPanel plugin before 2.4.8 that lets users with FTP or web shell access escalate to read or write arbitrary files on a shared hosting server. Patched in plugin version 2.4.8 and WHM PlugIn 5.3.2.0 — update immediately.

Overview

CVE-2026-54420 affects the LiteSpeed cPanel plugin (distributed as part of the LiteSpeed WHM PlugIn before version 5.3.2.0). The software mishandles symlinks provided by a user who already has low-privilege access (FTP or web shell) on a shared hosting server running CloudLinux with CageFS. By crafting malicious symlinks, an attacker can break out of their jailed environment and read or write files belonging to other accounts or the system itself.

The vulnerability is rated HIGH with a CVSS score of 8.5. Attack complexity is high, but the attacker needs only low privileges and no user interaction — making this especially dangerous in shared hosting environments where many customers coexist on the same server.

CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild since May 2026. Despite a low EPSS probability score (0.3%), the confirmed exploitation warrants immediate patching.

Impact

An attacker with an FTP account or a web shell on a shared hosting server using CloudLinux/CageFS can:

• Read sensitive files from other customers’ accounts (e.g., database credentials, configuration files, source code)
• Write malicious files to other customers’ web roots (e.g., webshells, defacements, malware)
• Potentially escape the CageFS jail to read system-level files

This is a classic container-escape-style vulnerability applied to a shared hosting environment — the symlink mishandling lets the attacker bypass the filesystem isolation that CloudLinux/CageFS is supposed to enforce.

Affected Versions

• LiteSpeed cPanel plugin before 2.4.8
• LiteSpeed WHM PlugIn before 5.3.2.0

Remediation

1. Update the plugin: Upgrade the LiteSpeed cPanel plugin to version 2.4.8 or later. For WHM PlugIn users, update to version 5.3.2.0 or later.
2. Check for signs of compromise: On shared hosting servers, review file integrity on customer accounts that may have been targeted. Look for unexpected symlinks or files that were modified around May 2026.
3. Restrict FTP/shell access: Where possible, limit FTP and web shell access to only accounts that genuinely need it.
4. Monitor logs: Audit symlink creation attempts and filesystem anomaly alerts in CloudLinux/CageFS environments.

Related Content

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• Nine CrackArmor Flaws in Linux AppArmor Enable Root

Security Insight

CVE-2026-54420 is a textbook example of how shared hosting isolation mechanisms — intended to protect customers from each other — can be undermined by a single symlink-handling oversight. This vulnerability follows a pattern seen in container escape bugs and shared-hosting privilege escalation incidents over the past decade, suggesting that the industry’s reliance on filesystem-level isolation (CageFS, CloudLinux, or containers) continues to create a blind spot for symlink-based attacks. Vendors who implement jail-like environments should treat symlink handling as a first-class security boundary.

Further Reading

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs