Skip to content
Tech News
← Back to articles

CISA warns of another cPanel plugin flaw exploited in attacks

2026-06-16 | original
read original more articles
Why This Matters

This alert highlights a critical security vulnerability in cPanel plugins that is actively being exploited, emphasizing the urgent need for timely updates to protect servers and sensitive data. For the tech industry and consumers, it underscores the importance of proactive vulnerability management and rapid response to emerging threats to maintain cybersecurity integrity.

Key Takeaways

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability (CVE-2026-54420) in the LiteSpeed cPanel user-end plugin.

Tracked as CVE-2026-48172, this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.

This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.

LiteSpeed flagged it as actively exploited in early June and released urgent security updates, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.

Users are advised to use the following command to check if their server is vulnerable to attacks targeting the CVE-2026-48172 vulnerability:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

"If this command results in any output, the vulnerability may have been exploited on your server. [..] To determine any damage done, examine the system logs for any actions taken by the detected IPs," LiteSpeed said. "This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8."

On Monday, CISA also added that the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems within three days, as required by Binding Operational Directive (BOD) 26-04.

BOD 26-04 was issued last Wednesday (revoking the older BODs 19-02 and 22-01) and requires U.S. federal agencies to prioritize patching based on the risk of exploitation.

Key factors to consider when assessing the risks include whether the security flaw is included in CISA's KEV catalog, whether the asset is publicly exposed online, whether exploitation can be automated for large-scale attacks, and whether successful exploitation grants attackers partial or total control of the targeted system.

... continue reading

Explore topics: cpanel cisa litespeed namecheap cloudlinux
Related:
CISA tells govt agencies to patch critical exploited flaws in 3 days
CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
CISA warns of cyberattacks targeting fuel tank monitoring systems
CISA warns of active attacks exploiting Android, Linux bugs

© 2026 GoKawiil

About | Editorial Policy | Contact