2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software

cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.

The issue, tracked as “SEC-575” and discovered by researchers from Digital Defense, has been remedied by the company in versions,, and of the software.

cPanel and WHM (Web Host Manager) offers a Linux-based control panel for users to handle website and server management, including tasks such as adding sub-domains and performing system and control panel maintenance. To date, over 70 million domains have been launched on servers using cPanel’s software suite.

The issue stemmed from a lack of rate-limiting during 2FA during logins, thus making it possible for a malicious party to repeatedly submit 2FA codes using a brute-force approach and circumvent the authentication check.

Digital Defense researchers said an attack of this kind could be accomplished in minutes.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” cPanel said in its advisory. “This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”

The company has now addressed the flaw by adding a rate limit check to its cPHulk brute-force protection service, causing a failed validation of the 2FA code to be treated as a failed login.

This is not the first time the absence of rate-limiting has posed a serious security concern.

Back in July, video conferencing app Zoom fixed a security loophole that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.

It’s recommended that cPanel customers apply the patches to mitigate the risk associated with the flaw.

Cyber Security

Articles You May Like

Why Regulated Industries are Turning to Military-Grade Cyber Defenses
Motorola Razr 50, Razr 50 Ultra Price and Colour Options Leak Alongside Details of Moto G85 5G
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Infosys Aster, AI-Powered Marketing Suite for Global Enterprises Launched
Butterflies Social Media Platform That Lets AI Characters Post, Interact With Each Other Launched

Leave a Reply

Your email address will not be published. Required fields are marked *