# [HIGH] CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation **Source:** The Hacker News **Published:** 2026-06-16 **Article:** https://thehackernews.com/2026/06/cisa-flags-litespeed-cpanel-plugin-flaw.html ## Threat Profile CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation  Ravie Lakshmanan  Jun 16, 2026 Vulnerability / Server Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026. The vulnerability in question is CVE-2026-54420 (CVSS score: 8.5), which h… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-54420` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1068** — Exploitation for Privilege Escalation - **T1499.004** — Endpoint Denial of Service: Application or System Exploitation ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### CVE-2026-54420 LiteSpeed cPanel exploit: generateEcCert chained to packageUserSize for same user `UC_50_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as first_seen max(_time) as last_seen values(Web.url) as urls from datamodel=Web.Web where (Web.uri_query="*cpanel_jsonapi_func=generateEcCert*" OR Web.uri_query="*cpanel_jsonapi_func=packageUserSize*" OR Web.uri_query="*cert_action_entry*geneccert*") by _time Web.dest Web.src Web.user Web.uri_query span=1s | `drop_dm_object_name(Web)` | eval api_func=case(like(uri_query,"%generateEcCert%"),"generateEcCert",like(uri_query,"%packageUserSize%"),"packageUserSize",like(uri_query,"%geneccert%"),"cert_action_entry_geneccert") | transaction dest user maxspan=10s mvlist=t | where mvcount(api_func)>=2 AND mvfind(api_func,"generateEcCert")>=0 AND mvfind(api_func,"packageUserSize")>=0 | eval delay_sec=duration | table _time dest src user delay_sec api_func urls ``` **Defender KQL:** ```kql // Defender XDR does not natively ingest cPanel access logs. This query targets MDE-for-Linux hosts where cPanel logs are forwarded into /var/log via rsyslog and surfaced through DeviceEvents AdditionalFields, OR detects an admin running the LiteSpeed verification grep on a potentially-compromised server. DeviceProcessEvents | where Timestamp > ago(7d) | where DeviceName has_any ("cpanel","whm","cloudlinux") or FolderPath has "/usr/local/cpanel/" | where ProcessCommandLine has_all ("grep","cpanel_jsonapi_func") and ProcessCommandLine has_any ("generateEcCert","packageUserSize","geneccert") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath | order by Timestamp desc ``` ### CVE-2026-54420 LiteSpeed cPanel exploit: burst of 7-10 concurrent generateEcCert / packageUserSize calls `UC_50_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Web.Web where (Web.uri_query="*cpanel_jsonapi_func=generateEcCert*" OR Web.uri_query="*cpanel_jsonapi_func=packageUserSize*" OR Web.uri_query="*cert_action_entry*geneccert*") by _time Web.dest Web.src Web.user span=2s | `drop_dm_object_name(Web)` | where count >= 7 AND count <= 20 | stats max(count) as peak_concurrent sum(count) as total_calls values(user) as users earliest(_time) as first_seen latest(_time) as last_seen by dest src | where peak_concurrent >= 7 ``` **Defender KQL:** ```kql // Defender XDR does not ingest cPanel access logs. This query hunts MDE-for-Linux hosts where cPanel JSON API calls leak into DeviceEvents AdditionalFields via syslog forwarding, or detects the LiteSpeed verification grep being executed. DeviceEvents | where Timestamp > ago(7d) | where AdditionalFields has_any ("generateEcCert", "packageUserSize", "cert_action_entry") | extend ApiFunc = case(AdditionalFields has "generateEcCert", "generateEcCert", AdditionalFields has "packageUserSize", "packageUserSize", "cert_action_entry_geneccert") | summarize ConcurrentCalls = count(), DistinctApis = dcount(ApiFunc), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, AccountName, bin(Timestamp, 5s) | where ConcurrentCalls >= 7 | order by Timestamp desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Article-specific behavioural hunt — CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation `UC_50_2` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/usr/local/cpanel/logs/*" OR Filesystem.file_path="*/var/cpanel/logs/*" OR Filesystem.file_path="*/dev/null*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/usr/local/cpanel/logs/", "/var/cpanel/logs/", "/dev/null")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-54420` ## Why this matters Severity classified as **HIGH** based on: CVE present, 5 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.