CVE-2026-54420 Sumo Logic CSE · Sumo

Detect LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability in Sumo Logic CSE

Detects exploitation of CVE-2026-54420, a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel Plugin. Attackers with local access can create malicious symlinks to read or overwrite files outside the intended directory, potentially leading to privilege escalation or unauthorized file access on cPanel-managed hosting servers. This vulnerability is actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/audit OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/linux
| parse regex "(?<raw_cmd>(?:ln\s+-s|symlink|symlinkat)[^\n]*)"
| where !isNull(raw_cmd)
| if (raw_cmd matches /(?i)(lsws|lsphp|litespeed|cpanel.plugin|\/usr\/local\/lsws|\/var\/lsws|\/etc\/lsws)/, 1, 0) as litespeed_context
| if (raw_cmd matches /(?i)(\/etc\/passwd|\/etc\/shadow|\/root\/|\/etc\/ssh|\/etc\/sudoers|\/proc\/)/, 1, 0) as sensitive_target
| where litespeed_context = 1 OR sensitive_target = 1
| fields _messageTime, _sourceHost, _sourceCategory, raw_cmd, litespeed_context, sensitive_target
| sort by _messageTime desc
| count by _sourceHost, litespeed_context, sensitive_target
| sort by _count desc
high severity low confidence

Sumo Logic query parsing Linux audit and syslog data for symlink operations tied to LiteSpeed plugin paths or sensitive file targets, with field extraction and aggregation by host.

Data Sources

Sumo Logic Linux Audit SourceSumo Logic Syslog SourceSumo Logic Installed Collector (Linux)

Required Tables

linux/auditlinux/syslogendpoint/linux

False Positives & Tuning

  • Automated cPanel plugin update jobs run by hosting provider maintenance windows
  • LiteSpeed LSWS installer creating PHP symlinks during initial setup or version upgrades
  • cPanel-initiated scripts that modify LiteSpeed configuration and create symlinks for PHP SAPI selection
  • Penetration testing engagements against cPanel environments with prior authorization

Other platforms for CVE-2026-54420

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Symlink in LiteSpeed Plugin Directory Targeting /etc/shadow

    Expected signal: auditd SYSCALL=symlink with a1 pointing to /etc/shadow; FileOpenInfo event on /etc/shadow via the symlink path; process creating the symlink is a non-root user

  2. Test 2Symlink Traversal via LiteSpeed Binary Process Simulation

    Expected signal: SYSCALL=symlink event for the ln -sv command; stat and readlink syscalls on the symlink; auditd logs should capture the effective UID and process name

  3. Test 3Enumerate LiteSpeed Plugin Directory and Create Targeted Symlink Chain

    Expected signal: Multiple syscall events: find spawning openat calls on LiteSpeed paths; SYSCALL=symlink for the ln command; readdir on /root/.ssh via the symlink (if permitted); auditd AVC denials if SELinux/AppArmor active

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-54420 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0006Credential Access

Related Techniques

T1574Hijack Execution FlowT1548Abuse Elevation Control MechanismT1083File and Directory Discovery

Same Tactic: Privilege Escalation

Popular Detections