LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild
Cybersecurity NewsArchived Jun 16, 2026✓ Full text saved
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited in the wild, posing a serious threat to shared hosting environments worldwide. The flaw, tracked as CVE-2026-54420, enables privilege escalation to root level, allowing attackers to take full control of affected servers under specific conditions. LiteSpeed cPanel Plugin Zero-Day Vulnerability According […] The post LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild appear
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild
By Abinaya
June 16, 2026
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited in the wild, posing a serious threat to shared hosting environments worldwide.
The flaw, tracked as CVE-2026-54420, enables privilege escalation to root level, allowing attackers to take full control of affected servers under specific conditions.
LiteSpeed cPanel Plugin Zero-Day Vulnerability
According to LiteSpeed Technologies, the vulnerability impacts only the user-end cPanel plugin and does not affect the WHM plugin itself.
However, since the user-end plugin is bundled with the WHM plugin, many environments may still be exposed if not updated.
The issue was responsibly disclosed by researchers at Namecheap, who observed suspicious behavior linked to exploitation attempts before reporting it to the vendor.
At its core, the vulnerability allows an attacker with limited initial access, such as FTP credentials or access to a compromised web shell, to abuse internal API calls within the cPanel plugin.
By chaining specific functions in unintended ways, attackers can bypass the privilege boundaries enforced by CloudLinux’s CageFS isolation and ultimately escalate their privileges to root.
This effectively breaks tenant isolation in shared hosting setups, potentially exposing other users hosted on the same server.
Analysis of exploitation patterns shows that attackers are leveraging abnormal sequences of internal API requests, particularly involving the generateEcCert and packageUserSize functions.
Under normal conditions, these operations are not executed in immediate succession. However, in observed attacks, these calls are deliberately chained together in rapid bursts, often executed concurrently across multiple threads.
This behavior suggests the use of automated exploitation scripts designed to increase the likelihood of successful privilege escalation.
Further forensic indicators indicate that attackers typically originate from a single source IP that repeatedly targets both vulnerable endpoints.
Concurrent bursts of 7–10 simultaneous requests unlike normal sequential user activity create detectable anomalies in server logs that defenders can use to identify attacks.
LiteSpeed has released a patch in cPanel plugin version 2.4.8, bundled with WHM plugin version 5.3.2.1, which addresses the vulnerability by correcting improper access controls and tightening API handling.
Administrators are strongly urged to apply the update immediately, as unpatched systems remain at high risk of compromise.
For systems that cannot be updated immediately, removing the user-end plugin is recommended as a temporary mitigation step to eliminate the attack surface.
Reported on May 31, 2026, the flaw prompted rapid action from LiteSpeed and cPanel, which quickly mitigated and removed the vulnerable component.
A patched version was released on June 1, 2026, and the CVE identifier was officially assigned on June 14, 2026.
Security experts warn that the real-world impact of this vulnerability could be severe, particularly in multi-tenant environments, where a single compromised account could result in a full server takeover.
Administrators are advised not only to patch but also to conduct thorough log analysis to identify any signs of prior exploitation, including unauthorized privilege changes, suspicious command execution, or unexpected modifications to system files.
LiteSpeed has acknowledged Namecheap’s contribution to identifying the issue and has credited the cPanel team for their swift mitigation efforts.
Given the active exploitation status, timely patching and proactive monitoring remain essential to prevent further incidents.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks
Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain
Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks
Latest News
Cyber Security News
Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure
Cyber Security
Microsoft Site Showing Warning Following Certificate Expiry
Cyber Security News
DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery
Cyber Security News
SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data
AI
Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users