Detect LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability in Splunk
Detects exploitation of CVE-2026-54420, a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel Plugin. Attackers with local access can create malicious symlinks to read or overwrite files outside the intended directory, potentially leading to privilege escalation or unauthorized file access on cPanel-managed hosting servers. This vulnerability is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
SPL Detection Query
index=os OR index=endpoint sourcetype IN ("linux_audit", "auditd", "sysmon_for_linux", "osquery")
| eval event_time=_time
| search (syscall="symlink" OR syscall="symlinkat" OR process_name IN ("ln") AND ("ln -s" OR "ln --symbolic"))
| eval cmd=coalesce(cmd, command, cmdline)
| eval uid=coalesce(uid, user, auid)
| eval path_val=coalesce(nametype, path, file_path)
| where match(cmd, "(?i)(ln\s+-s|symlink)")
| eval suspicious_target=if(match(cmd, "(?i)(/etc/passwd|/etc/shadow|/root/|/etc/ssh|/etc/sudoers|/etc/cron|/proc/)"), 1, 0)
| eval litespeed_context=if(match(cmd, "(?i)(lsws|lsphp|lshttpd|litespeed|cpanel.plugin)") OR match(path_val, "(?i)(/usr/local/lsws|/opt/cpanel|/var/lsws|/etc/lsws)"), 1, 0)
| where suspicious_target=1 OR litespeed_context=1
| eval risk_score=case(suspicious_target=1 AND litespeed_context=1, 90, suspicious_target=1, 70, litespeed_context=1, 50, true(), 30)
| table _time, host, user, uid, cmd, path_val, suspicious_target, litespeed_context, risk_score
| sort -risk_score, -_timeSearches Linux audit, auditd, and osquery logs for symlink syscalls or ln commands involving LiteSpeed paths or sensitive system file targets. Risk-scores results based on combined suspicious indicators.
Data Sources
Required Sourcetypes
False Positives & Tuning
- LiteSpeed Plugin legitimate upgrade scripts that create PHP binary symlinks under /usr/local/lsws
- cPanel-automated processes (cpaneld, whostmgrd) that symlink binaries during feature provisioning
- Hosting automation frameworks (Plesk migration tools, Imunify360) that manipulate filesystem links
- Security hardening scripts that relocate or alias configuration files using symlinks
Other platforms for CVE-2026-54420
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Symlink in LiteSpeed Plugin Directory Targeting /etc/shadow
Expected signal: auditd SYSCALL=symlink with a1 pointing to /etc/shadow; FileOpenInfo event on /etc/shadow via the symlink path; process creating the symlink is a non-root user
- Test 2Symlink Traversal via LiteSpeed Binary Process Simulation
Expected signal: SYSCALL=symlink event for the ln -sv command; stat and readlink syscalls on the symlink; auditd logs should capture the effective UID and process name
- Test 3Enumerate LiteSpeed Plugin Directory and Create Targeted Symlink Chain
Expected signal: Multiple syscall events: find spawning openat calls on LiteSpeed paths; SYSCALL=symlink for the ln command; readdir on /root/.ssh via the symlink (if permitted); auditd AVC denials if SELinux/AppArmor active
References (4)
- https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-54420
Unlock Pro Content
Get the full detection package for CVE-2026-54420 including response playbook, investigation guide, and atomic red team tests.