CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 19, 2026

CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation

Cybersecurity News Archived Jun 19, 2026 ✓ Full text saved

CISA has added a critical LiteSpeed cPanel Plugin vulnerability, tracked as CVE-2026-54420, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation in the wild. The flaw affects shared hosting environments and poses a significant risk to servers running CloudLinux with CageFS isolation. The vulnerability is classified as a UNIX symbolic link (symlink) […] The post CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation appe

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation By Abinaya June 19, 2026 CISA has added a critical LiteSpeed cPanel Plugin vulnerability, tracked as CVE-2026-54420, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation in the wild. The flaw affects shared hosting environments and poses a significant risk to servers running CloudLinux with CageFS isolation. The vulnerability is classified as a UNIX symbolic link (symlink) following the issue, mapped to CWE-61. It allows attackers with limited access, such as FTP credentials or a web shell, to exploit improper symlink handling within the LiteSpeed cPanel plugin. This weakness could enable unauthorized access to sensitive files outside of restricted directories, potentially leading to privilege escalation or data exposure across shared hosting accounts. According to CISA, the vulnerability was officially added to the KEV list on June 15, 2026, with a remediation due date of June 18, 2026, under Binding Operational Directive (BOD) 26-04. LiteSpeed cPanel Plugin Vulnerability This directive mandates that federal agencies and associated organizations prioritize remediation of actively exploited vulnerabilities. Technical analysis indicates that the issue arises when the plugin fails to validate symbolic links during file operations properly. In shared hosting environments, attackers can create malicious symlinks pointing to sensitive system files or other users’ data. If the server follows these links without validation, it may inadvertently expose restricted resources. This type of vulnerability is particularly dangerous in multi-tenant environments, such as web hosting servers, where user isolation is critical. Although CloudLinux CageFS is designed to contain users within isolated file systems, improper symlink handling can bypass these protections if not properly mitigated. While no confirmed attribution links CVE-2026-54420 to ransomware campaigns, CISA has emphasized that active exploitation is already occurring. Threat actors commonly exploit such vulnerabilities to gain initial access, conduct lateral movement, or exfiltrate data. CISA recommends that organizations immediately apply vendor-provided mitigations and follow secure configuration practices. Administrators should review LiteSpeed plugin updates, enforce strict file permission policies, and turn off unsafe symlink behaviors where possible. Continuous monitoring for suspicious file access patterns and unexpected symlink creation is also advised. Additionally, organizations must comply with CISA’s Forensics Triage Requirements to ensure proper incident response readiness. This includes maintaining logs, monitoring access controls, and preparing for rapid investigation in the event of a compromise. If mitigations are unavailable, CISA advises organizations to consider discontinuing use of affected products until a secure solution is implemented. Stakeholders are also encouraged to evaluate internet-facing assets and prioritize patching based on exposure and risk level. Security teams should treat this vulnerability as a high priority due to its exploitation status and potential impact on shared hosting infrastructure. The inclusion of CVE-2026-54420 in the KEV catalog highlights the growing trend of attackers targeting hosting platforms to compromise multiple tenants through a single entry point. Organizations using LiteSpeed with cPanel are urged to act immediately to reduce the risk of compromise and ensure compliance with federal cybersecurity directives. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads Latest News Press Release Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections Cyber Security News Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks Press Release eFAQ Publishes Investigation Into Alleged Scam Activity and Coordinated Reputation Attacks Cyber Security Microsoft June 2026 Update Bug Exposes Recycle Bin Filenames in Deletion Dialog AWS HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗