LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Detects exploitation of CVE-2026-54420, a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel Plugin. Attackers with local access can create malicious symlinks to read or overwrite files outside the intended directory, potentially leading to privilege escalation or unauthorized file access on cPanel-managed hosting servers. This vulnerability is actively exploited in the wild (CISA KEV).
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- LiteSpeed
- Product
- cPanel Plugin
Weakness (CWE)
Timeline
- Disclosed
- June 15, 2026
References & Proof of Concept
- https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-54420
CVSS
What is CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability?
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability (CVE-2026-54420) maps to the Privilege Escalation and Defense Evasion and Credential Access tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceFileEvents, DeviceProcessEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let timeframe = 1h;
let litespeed_paths = dynamic(['/usr/local/lsws', '/opt/cpanel/ea-php', '/etc/lsws', '/var/lsws']);
let sensitive_targets = dynamic(['/etc/passwd', '/etc/shadow', '/root/', '/home/', '/etc/ssh/', '/etc/sudoers']);
union
(
DeviceFileEvents
| where TimeGenerated >= ago(timeframe)
| where ActionType in ('FileCreated', 'FileModified')
| where FolderPath has_any (litespeed_paths)
| where FileType == 'SymbolicLink'
| extend TargetPath = tostring(parse_json(AdditionalFields).SymlinkTarget)
| where TargetPath has_any (sensitive_targets)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, TargetPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
),
(
DeviceProcessEvents
| where TimeGenerated >= ago(timeframe)
| where ProcessCommandLine matches regex @'ln\s+-s'
| where InitiatingProcessFileName in~ ('lsup.sh', 'lsphp', 'litespeed', 'lshttpd', 'cpanel-plugin')
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| extend AlertSeverity = 'High'
| extend Recommendation = 'Update LiteSpeed cPanel Plugin immediately. Investigate symlink targets for unauthorized file access.'
| order by TimeGenerated descDetects symbolic link creation in LiteSpeed cPanel Plugin directories pointing to sensitive system files, and symlink commands spawned by LiteSpeed processes. Covers both file event telemetry and process execution telemetry for breadth.
Data Sources
Required Tables
False Positives
- Legitimate LiteSpeed plugin updates that create internal symlinks during installation or upgrade
- cPanel or WHM administrative scripts performing routine maintenance that involve symlinking PHP binaries
- Hosting provider automation tools that manage multi-PHP environments using symlinks
- Security scanning tools that enumerate symlinks as part of configuration audits
Sigma rule & cross-platform mapping
The detection logic for LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability (CVE-2026-54420) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-54420
References (4)
- https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-54420
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Symlink in LiteSpeed Plugin Directory Targeting /etc/shadow
Expected signal: auditd SYSCALL=symlink with a1 pointing to /etc/shadow; FileOpenInfo event on /etc/shadow via the symlink path; process creating the symlink is a non-root user
- Test 2Symlink Traversal via LiteSpeed Binary Process Simulation
Expected signal: SYSCALL=symlink event for the ln -sv command; stat and readlink syscalls on the symlink; auditd logs should capture the effective UID and process name
- Test 3Enumerate LiteSpeed Plugin Directory and Create Targeted Symlink Chain
Expected signal: Multiple syscall events: find spawning openat calls on LiteSpeed paths; SYSCALL=symlink for the ln command; readdir on /root/.ssh via the symlink (if permitted); auditd AVC denials if SELinux/AppArmor active
Unlock Pro Content
Get the full detection package for CVE-2026-54420 including response playbook, investigation guide, and atomic red team tests.