U.S. CISA adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog
June 16, 2026 
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The two flaws added to the catalog are:
- CVE-2026-20262 (CVSS score of 6.5) Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
- CVE-2026-54420 (CVSS score of 8.5) LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
CVE-2026-20262 is an arbitrary file write vulnerability in the web interface of Cisco Catalyst SD-WAN Manager. The flaw is caused by improper validation of user-supplied input during file uploads, allowing an authenticated remote attacker to create or overwrite files on the underlying operating system through a crafted HTTP request.
A successful attack could enable further privilege escalation to root. Exploitation requires valid credentials for a low-privileged user account.
The second issue added to the catalog, CVE-2026-54420, is a privilege-escalation vulnerability affecting LiteSpeed’s cPanel plugin on shared hosting servers running CloudLinux or CageFS. The flaw stems from improper handling of user-controlled symbolic links, allowing attackers with FTP or web shell access to gain root privileges.
The exploitation in the wild has been confirmed.
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.” reads the advisory.
The advisory recommends using the following command to determine if your server has been affected:
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
If there is no output, then your server has not been affected.
If the command returns results, the server may have been exploited, although false positives are possible. Administrators should look for suspicious patterns such as consecutive generateEcCert and packageUserSize calls for the same user, multiple concurrent requests, and the same IP accessing both endpoints. If these indicators are present, system logs should be reviewed to assess any malicious activity and potential impact.
LiteSpeed advises administrators to check server logs for indicators of compromise and upgrade to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later. Namecheap responsibly disclosed the vulnerability on May 31, 2026.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to urgently fix the LiteSpeed cPanel plugin vulnerability by June 18, 2026. The US agency orders federal agencies to fix the Cisco Catalyst plugin vulnerability by June 29, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Stephan is the sports journalist for the Maple Grove Report.
