Critical LiteSpeed cPanel 0-Day Actively Plugin Vulnerability

A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is under active exploitation in the wild. The flaw poses a serious threat to shared hosting environments worldwide.

The flaw, tracked as CVE-2026-54420, enables privilege escalation to root level, allowing attackers to take full control of affected servers under specific conditions.

LiteSpeed cPanel Plugin Zero-Day Vulnerability

According to LiteSpeed Technologies, the vulnerability impacts only the user-end cPanel plugin and does not affect the WHM plugin itself.

However, since the user-end plugin is bundled with the WHM plugin, many environments may still be exposed if not updated.

The issue was responsibly disclosed by researchers at Namecheap, who observed suspicious behavior linked to exploitation attempts before reporting it to the vendor.

At its core, the vulnerability allows an attacker with limited initial access, such as FTP credentials or access to a compromised web shell, to abuse internal API calls within the cPanel plugin.

By chaining specific functions in unintended ways, attackers can bypass the privilege boundaries enforced by CloudLinux’s CageFS isolation and ultimately escalate their privileges to root.

This effectively breaks tenant isolation in shared hosting setups, potentially exposing other users hosted on the same server.

Analysis of exploitation patterns shows that attackers are leveraging abnormal sequences of internal API requests, particularly involving the generateEcCert and packageUserSize functions.

Under normal conditions, these operations are not executed in immediate succession. However, in observed attacks, these calls are deliberately chained together in rapid bursts, often executed concurrently across multiple threads.

This behavior suggests the use of automated exploitation scripts designed to increase the likelihood of successful privilege escalation.

Further forensic indicators indicate that attackers typically originate from a single source IP that repeatedly targets both vulnerable endpoints.

Concurrent bursts of 7–10 simultaneous requests unlike normal sequential user activity create detectable anomalies in server logs that defenders can use to identify attacks.

LiteSpeed has released a patch in cPanel plugin version 2.4.8, bundled with WHM plugin version 5.3.2.1, which addresses the vulnerability by correcting improper access controls and tightening API handling.

Administrators are strongly urged to apply the update immediately, as unpatched systems remain at high risk of compromise.

For systems that cannot be updated immediately, removing the user-end plugin is recommended as a temporary mitigation step to eliminate the attack surface.

Reported on May 31, 2026, the flaw prompted rapid action from LiteSpeed and cPanel, which quickly mitigated and removed the vulnerable component.

A patched version was released on June 1, 2026, and the CVE identifier was officially assigned on June 14, 2026.

Security experts warn that the real-world impact of this vulnerability could be severe, particularly in multi-tenant environments, where a single compromised account could result in a full server takeover.

Administrators are advised not only to patch but also to conduct thorough log analysis to identify any signs of prior exploitation, including unauthorized privilege changes, suspicious command execution, or unexpected modifications to system files.

LiteSpeed has acknowledged Namecheap’s contribution to identifying the issue and has credited the cPanel team for their swift mitigation efforts.

Given the active exploitation status, timely patching and proactive monitoring remain essential to prevent further incidents.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.