LITESPEED’S cPanel Plugin is under active attack after a UNIX symbolic link vulnerability was added to CISA’s Known Exploited Vulnerabilities catalogue.
The flaw tracked as CVE‑2026-54420 carries a CVSS score of 8.5 and is classified as HIGH.
It is a time‑of‑check‑time‑of‑use symlink‑following issue that lets a user with FTP or web shell access on a shared hosting server running CloudLinux or CageFS read or write arbitrary files without needing any additional privileges.
Exploitation only requires the initial low‑privilege foothold, and CISA confirmed that the vulnerability is being used in the wild, prompting its inclusion in the KEV catalogue.
No specific threat actors have been named, but the risk is significant for multi‑tenant hosting environments where unauthorized file access could lead to data leakage or further privilege escalation.
Defenders should apply the patch released by LiteSpeed without delay, restrict FTP and shell accounts to only those who absolutely need them, enforce least privilege principles, and monitor for unusual symlink creation or unexpected file access patterns.
Following CISA’s guidance and aligning with BOD 26‑04 for vulnerability prioritisation will help ensure the issue is addressed promptly and reduces the chance of future abuse.