Overview
- CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalog on Tuesday and directed Federal Civilian Executive Branch agencies to apply fixes by June 18 to meet binding remediation rules.
- The flaw is a symlink-handling weakness in the LiteSpeed cPanel plugin that lets an attacker with FTP or web‑shell access on shared hosting running CloudLinux/CageFS escalate privileges to root.
- LiteSpeed and vendors provided a grep command to scan cPanel logs and warned administrators to look for consecutive generateEcCert then packageUserSize calls for the same user, 7–10 concurrent requests per attempt, and the same IP hitting both endpoints.
- Administrators should immediately upgrade to LiteSpeed WHM Plugin v5.3.2.1 (cPanel plugin v2.4.8) or later, review system logs for the listed indicators and run targeted forensic checks because the vendor cautions the grep results can produce false positives.
- CISA also added a separate Cisco Catalyst SD-WAN Manager flaw (CVE-2026-20262) with a June 29 federal fix deadline, signaling broader, time‑sensitive remediation needs for hosting and federal networks and raising the chance that signs of exploitation indicate wider account compromise.