Overview
- CISA added the bug to its Known Exploited Vulnerabilities catalog on June 16 and directed Federal Civilian Executive Branch agencies to remediate by June 18, 2026.
- The flaw is a high-severity UNIX symlink-following privilege escalation that lets an attacker with FTP or web-shell access escalate to root on shared hosting running CloudLinux or CageFS.
- LiteSpeed released patches bundled as LiteSpeed WHM Plugin v5.3.2.1 and cPanel plugin v2.4.8 and told administrators to upgrade immediately to block active exploitation.
- Vendors published a grep-based log check to hunt signs of exploitation and warned the command can return false positives so teams must review chained API calls, concurrent requests, IP activity and system logs for confirmation.
- Namecheap reported the bug on May 31 and hosts, managed-service providers, and customers should run forensic checks for cross-tenant compromise and prioritize patching to prevent root takeovers.