The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said federal agencies must patch a LiteSpeed cPanel plugin vulnerability currently being exploited [1].

The flaw allows attackers to achieve root-level privilege escalation on affected servers [3]. Because this access grants total control over the hosting environment, the vulnerability poses a severe risk to the integrity of federal data and infrastructure [2].

CISA identified the vulnerability as CVE-2026-54420 [2]. Some reports also mention CVE-2026-41940 in relation to the exploitation efforts [4]. The agency said that more than 40,000 cPanel servers have been hijacked in ongoing attacks, potentially handing hackers entire web-hosting fleets [5].

To mitigate the risk, CISA gave federal agencies three days to secure their servers [1]. There is a discrepancy regarding the exact deadline for these patches. One report said the deadline was June 12, 2026 [4], while another specifies June 18, 2026 [2].

Federal agencies are required to prioritize the update of the LiteSpeed cPanel plugin to prevent unauthorized administrative access. The urgency of the timeline reflects the speed at which the exploit is spreading across hosting environments [1].

The vulnerability is being actively exploited to achieve root-level privilege escalation

The scale of the attack—affecting tens of thousands of servers—suggests a highly automated exploitation campaign. By targeting cPanel, a widely used web hosting control panel, attackers can compromise not just a single site but every account hosted on a hijacked server. The tight patching window imposed by CISA underscores the critical nature of root-level access, which allows adversaries to bypass almost all security controls.