CISA Catalogs Two Actively Exploited Vulnerabilities: Critical Patches Urged

Summary

CISA has recently updated its Known Exploited Vulnerabilities catalog with two new entries: CVE-2026-20262 and CVE-2026-54420. These vulnerabilities are actively exploited, underscoring the need for immediate attention from organizations using affected products. Cisco's SD-WAN Manager is susceptible to a directory traversal vulnerability that allows file manipulation on the system if an attacker has valid credentials. Meanwhile, LiteSpeed Technologies' cPanel Plugin mishandles symlinks, enabling privilege escalation in shared hosting environments.

What Happened

The Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage, is vulnerable to a directory or path traversal flaw (CVE-2026-20262). This vulnerability allows an authenticated, remote attacker with at least lower-privileged access to create or overwrite files on the system's filesystem. The root cause lies in improper validation of user-supplied input during file uploads. Exploitation could lead to privilege escalation by allowing attackers to upload malicious files that can be used to gain root access.

Simultaneously, a vulnerability (CVE-2026-54420) has been identified in LiteSpeed Technologies' cPanel Plugin, affecting versions before 2.4.8. This flaw arises from mishandling symlinks provided by users with FTP or web shell access on shared hosting servers running CloudLinux/CageFS. Exploitation of this vulnerability enables attackers to escalate privileges to root.

Technical Details

The Cisco Catalyst SD-WAN Manager's vulnerability stems from a failure in input validation during file uploads. Attackers can exploit this flaw by sending crafted HTTP requests to specific API endpoints, allowing them to manipulate files on the underlying operating system. This manipulation could be used later for privilege escalation.

For LiteSpeed's cPanel Plugin, the issue is linked to symlink handling. Users with FTP or web shell access can exploit this vulnerability to execute arbitrary commands as root, significantly compromising server security.

Affected Products and Fixed Versions

• Cisco Catalyst SD-WAN Manager: All versions are affected regardless of configuration. Cisco has released software updates to address this vulnerability.

• LiteSpeed cPanel Plugin: Vulnerable versions are those prior to 2.4.8. LiteSpeed recommends upgrading to version 5.3.2.1 or higher, which includes the patched plugin.

Exploitation Status

Both vulnerabilities are actively exploited in the wild, as confirmed by CISA's inclusion of these CVEs in its Known Exploited Vulnerabilities catalog. This highlights the urgency for organizations using affected products to apply available patches immediately.

Indicators of Compromise

For Cisco Catalyst SD-WAN Manager, indicators include specific log entries such as:

• From vmanage-server.log: "uploaded Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war to vManage."

• From serviceproxy-access.log: "[2026-06-11T07:57:33.635Z] 'POST /suspicious/index.jsp HTTP/1.1' 200 -"

These entries should be audited against normal network activity to avoid false positives.

Detection Opportunities

Defenders can monitor for unusual file uploads or symlink manipulations in their environments as potential indicators of compromise. For Cisco systems, specific log patterns should be checked, and any anomalies reported to the Cisco Technical Assistance Center (TAC).

For LiteSpeed cPanel Plugin users, running the provided grep command can help determine if exploitation has occurred:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

Defender Guidance

1. Cisco Catalyst SD-WAN Manager: Upgrade to the latest software version that addresses CVE-2026-20262. Regularly audit logs for unusual file upload activities and consult Cisco TAC if anomalies are detected.

2. LiteSpeed cPanel Plugin: Immediately update to version 5.3.2.1 or higher, which includes the patched plugin. If unable to upgrade immediately, consider uninstalling the user-end plugin using:

   /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
   

   Once updated, reinstall and enable auto-install for future updates.

3. General: Adopt a risk-based vulnerability management approach, prioritizing patches for vulnerabilities listed in CISA's KEV catalog. Regularly review security advisories from vendors and apply patches promptly to mitigate risks associated with known exploits.