2FA bypass in cPanel potentially exposes tens of millions of websites to hack

Pierluigi Paganini November 24, 2020

2FA bypass discovered in web hosting software cPanel

More than 70 million sites are managed via cPanel software, according to the company.

Researchers discovered a major issue in cPanel that could be exploited by attackers to bypass two-factor authentication for cPanel accounts.

Security researchers from Digital Defense have discovered a major security issue in cPanel, a popular software suite that facilitates the management of a web hosting server.

Attackers could exploit the flaw to bypass two-factor authentication (2FA) for cPanel accounts and manage the associated websites.

Digital Defense, Inc., a leader in vulnerability and threat management solutions, today announced that its Vulnerability Research Team (VRT) uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.” reads the post published by Digital Defense. “c_Panel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.”

The flaw could have a dramatic impact because the software suite is currently used by web hosting providers to manage more than 70 million domains across the world.

The experts discovered that the 2FA implementation of cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed attackers to guess URL parameters and bypass 2FA.

The exploitation of this bug requires that attackers have valid credentials for a targeted account.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. “Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

Researchers added that attackers could bypass the 2FA in a few minutes. This issue was addressed with the release of the following builds:

  • 11.92.0.2
  • 11.90.0.17
  • 11.86.0.32

Website admins urge to check if their hosting provider has updated their cPanel installation.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment