Security Update for LiteSpeed cPanel Plugin

We have another urgent security update for LiteSpeed’s user-end plugin for cPanel.

Last night we were made aware of a vulnerability affecting our user-end cPanel plugin (LiteSpeed’s WHM plugin was not affected). We patched this vulnerability in v2.4.8.

Please update to the latest version of the cPanel user-end plugin, which is bundled with the WHM plugin..

This Privilege Escalation vulnerability, which was reported to us by the team at Namecheap, is in the process of being assigned a CVE number. We will update here when we have one.

Impact

A vulnerability in the LiteSpeed cPanel plugin allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.

This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.

Use the following command to determine if your server has been affected:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

If there is no output, then your server has not been affected.

If this command results in any output, the vulnerability may have been exploited on your server. There can be false positives, so look for the following to confirm:

1. Pairing: generateEcCert immediately followed by packageUserSize for the same user (legitimate UI flows don’t chain these)
2. Concurrency: 7–10 concurrent calls per attempt (legitimate UI does one at a time)
3. Same source IP hammering both endpoints

To determine any damage done, examine the system logs for any actions taken by the detected IPs. If you need assistance, you may contact our support team.

Actions

We urgently recommend that those using the LiteSpeed user-end plugin for cPanel upgrade to LiteSpeed WHM Plugin v5.3.2.1 (bundled w/ cPanel plugin v2.4.8) or higher to patch this vulnerability.

If you cannot upgrade at this time, you can use the following command to remove the user-end plugin and avoid this vulnerability:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Timeline

• May 31, 2026: We were alerted to the original issue.
• May 31, 2026: cPanel pushed an uninstall command for the user-end plugin
• Jun 1, 2026: We released cPanel plugin v2.4.8 and WHM plugin v5.3.2.1
• Jun 1, 2026: We applied for a CVE

Conclusion

We thank Namecheap for bringing the original issue to our attention. We’d also like to thank the cPanel team for their immediate action in preventing further exploitation on additional servers. The vulnerability has been patched, so if you are keeping your cPanel plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so immediately.