Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

U.S. CISA adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities (KEV) catalog. The two flaws added to the catalog are: CVE-2026-20262 is an arbitrary […]

CISA BlueHammer (CVE-2026-33825)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco Catalyst and LiteSpeed cPanel plugin flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The two flaws added to the catalog are:

  • CVE-2026-20262 (CVSS score of 6.5) Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
  • CVE-2026-54420 (CVSS score of 8.5) LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

CVE-2026-20262 is an arbitrary file write vulnerability in the web interface of Cisco Catalyst SD-WAN Manager. The flaw is caused by improper validation of user-supplied input during file uploads, allowing an authenticated remote attacker to create or overwrite files on the underlying operating system through a crafted HTTP request.

A successful attack could enable further privilege escalation to root. Exploitation requires valid credentials for a low-privileged user account.

The second issue added to the catalog, CVE-2026-54420, is a privilege-escalation vulnerability affecting LiteSpeed’s cPanel plugin on shared hosting servers running CloudLinux or CageFS. The flaw stems from improper handling of user-controlled symbolic links, allowing attackers with FTP or web shell access to gain root privileges.

The exploitation in the wild has been confirmed.

“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.” reads the advisory.

The advisory recommends using the following command to determine if your server has been affected:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

If there is no output, then your server has not been affected.

If the command returns results, the server may have been exploited, although false positives are possible. Administrators should look for suspicious patterns such as consecutive generateEcCert and packageUserSize calls for the same user, multiple concurrent requests, and the same IP accessing both endpoints. If these indicators are present, system logs should be reviewed to assess any malicious activity and potential impact.

LiteSpeed advises administrators to check server logs for indicators of compromise and upgrade to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later. Namecheap responsibly disclosed the vulnerability on May 31, 2026.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to urgently fix the LiteSpeed cPanel plugin vulnerability by June 18, 2026. The US agency orders federal agencies to fix the Cisco Catalyst plugin vulnerability by June 29, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)