# [HIGH] CISA warns of another cPanel plugin flaw exploited in attacks

**Source:** BleepingComputer
**Published:** 2026-06-16
**Article:** https://www.bleepingcomputer.com/news/security/cisa-warns-of-another-actively-exploited-cpanel-plugin-flaw/

## Threat Profile

CISA warns of another cPanel plugin flaw exploited in attacks 
By Sergiu Gatlan 
June 16, 2026
06:47 AM
0 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability ( CVE-2026-54420 ) in the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172 , this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privi…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-54420`
- **CVE:** `CVE-2026-48172`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1505.003** — Server Software Component: Web Shell
- **T1548** — Abuse Elevation Control Mechanism
- **T1068** — Exploitation for Privilege Escalation
- **T1222.002** — File and Directory Permissions Modification: Linux and Mac
- **T1496** — Resource Hijacking
- **T1098.004** — Account Manipulation: SSH Authorized Keys

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### cPanel LiteSpeed Plugin Exploit Endpoint Hit (CVE-2026-54420 / CVE-2026-48172)

`UC_40_2` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.http_user_agent) as user_agents values(Web.src) as src_ips from datamodel=Web where (Web.url="*cpanel_jsonapi_func=generateEcCert*" OR Web.url="*cpanel_jsonapi_func=packageUserSize*" OR Web.url="*cert_action_entry*geneccert*") by Web.dest host sourcetype
| `drop_dm_object_name(Web)`
| where firstTime >= relative_time(now(),"-7d@d")
| sort - lastTime
```

### Symlink to cPanel/LiteSpeed Root-Owned Paths from Low-Privilege User (CageFS Escape)

`UC_40_3` · phase: **install** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmds values(Processes.parent_process_name) as parents from datamodel=Endpoint.Processes where Processes.process_name=ln Processes.process="*-s*" (Processes.process="*/usr/local/lsws*" OR Processes.process="*/usr/local/cpanel*" OR Processes.process="*/var/cpanel*") NOT Processes.user IN ("root","cpanel","lsws","nobody","mailnull","cpaneleximscanner") by Processes.dest Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| where firstTime >= relative_time(now(),"-7d@d")
| sort - lastTime
```

**Defender KQL:**
```kql
// Low-priv ln -s pointing at cPanel/LiteSpeed root-owned paths
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "ln"
| where ProcessCommandLine has "-s"
| where ProcessCommandLine has_any ("/usr/local/lsws", "/usr/local/cpanel", "/var/cpanel")
| where AccountName !in~ ("root","cpanel","lsws","nobody","mailnull","cpaneleximscanner")
| where InitiatingProcessAccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| order by Timestamp desc
```

### Root Shell or Persistence Tool Spawned by lsws/cpanel Plugin Parent (Post-Exploit)

`UC_40_4` · phase: **actions** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmds values(Processes.parent_process) as parent_cmds from datamodel=Endpoint.Processes where (Processes.parent_process_path="*/usr/local/lsws/*" OR Processes.parent_process_path="*/usr/local/cpanel/*") Processes.user=root Processes.process_name IN ("bash","sh","dash","zsh","perl","python","python3","nc","ncat","socat","curl","wget","chmod","chown","useradd","usermod","passwd","ssh-keygen","crontab") by Processes.dest Processes.parent_process_name Processes.process_name Processes.user
| `drop_dm_object_name(Processes)`
| where firstTime >= relative_time(now(),"-7d@d")
| sort - lastTime
```

**Defender KQL:**
```kql
// Root-context shell or persistence tool with lsws/cpanel plugin parent
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath has_any ("/usr/local/lsws/", "/usr/local/cpanel/")
| where AccountName =~ "root"
| where FileName in~ ("bash","sh","dash","zsh","perl","python","python3","nc","ncat","socat","curl","wget","chmod","chown","useradd","usermod","passwd","ssh-keygen","crontab")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
```

### Article-specific behavioural hunt — CISA warns of another cPanel plugin flaw exploited in attacks

`UC_40_1` · phase: **install** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — CISA warns of another cPanel plugin flaw exploited in attacks ```
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_path="*/usr/local/cpanel/logs/*" OR Filesystem.file_path="*/var/cpanel/logs/*" OR Filesystem.file_path="*/dev/null*")
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — CISA warns of another cPanel plugin flaw exploited in attacks
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FolderPath has_any ("/usr/local/cpanel/logs/", "/var/cpanel/logs/", "/dev/null"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-54420`, `CVE-2026-48172`


## Why this matters

Severity classified as **HIGH** based on: CVE present, 5 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.