Critical Security Fix Released for LiteSpeed Web Server

cPFence

Hey everyone,

in case you missed the email, there is an important security update for LiteSpeed Enterprise web servers. It's recommended to upgrade to the latest build 2 of LiteSpeed using the command:

/usr/local/lsws/admin/misc/lsup.sh -f -v 6.3.4

For reference, here’s the email we received from LiteSpeed:

Hello,

Please make sure to update to the latest version, as this release includes a critical security fix for a vulnerability that could be exploited. 

If you are unable to upgrade your server immediately, we recommend disabling HTTP/3 as a temporary precaution to avoid exposure.  

More details here: https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/

Thanks for your attention!

LiteSpeed Team

blestaclub

@SystemFreaks

cPFence

This vulnerability also affects OpenLiteSpeed (OLS) users. It is recommended to upgrade to OLS v1.8.4 immediately, as noted in the official LiteSpeed blog post.

nqnoc

cPFence To update OLS is just apt update && apt upgrade?

cPFence

nqnoc

Yes, it’s a good idea to add it to a daily cronjob so your servers stay current automatically.

Aliysa_Enhance

Thanks for sharing this with the community so quickly cPFence. We've just pushed a patch release for this so that all new Enhance installations have the latest LiteSpeed version: https://enhance.com/support/release-notes

Existing Enhance users running LiteSpeed can now update to LiteSpeed v6.3.4 by running this command on each server running LiteSpeed;

mv /usr/local/lsws /usr/local/lsws_old && appcd-cli change-webserver lite-speed put-your-serial-no-here