2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software

Products You May Like

cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.

The issue, tracked as “SEC-575” and discovered by researchers from Digital Defense, has been remedied by the company in versions,, and of the software.

cPanel and WHM (Web Host Manager) offers a Linux-based control panel for users to handle website and server management, including tasks such as adding sub-domains and performing system and control panel maintenance. To date, over 70 million domains have been launched on servers using cPanel’s software suite.

The issue stemmed from a lack of rate-limiting during 2FA during logins, thus making it possible for a malicious party to repeatedly submit 2FA codes using a brute-force approach and circumvent the authentication check.

Digital Defense researchers said an attack of this kind could be accomplished in minutes.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” cPanel said in its advisory. “This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”

The company has now addressed the flaw by adding a rate limit check to its cPHulk brute-force protection service, causing a failed validation of the 2FA code to be treated as a failed login.

This is not the first time the absence of rate-limiting has posed a serious security concern.

Back in July, video conferencing app Zoom fixed a security loophole that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.

It’s recommended that cPanel customers apply the patches to mitigate the risk associated with the flaw.

Cyber Security

Products You May Like

Articles You May Like

Logitech G413 SE, G413 TKL SE Mechanical Gaming Keyboards Launched in India: All the Details
Artificial Photosynthesis Developed to Help Make Food Production More Energy-Efficient
Microsoft, Meta and Other Tech Giants Form Metaverse Standards Forum Without Apple
Xiaomi TV A2 Series With 60Hz Refresh Rate, Dolby Vision Support Launched
Five Planets Align in Rare Occurrence, Earth’s Moon to Join the Formation This Week

Leave a Reply

Your email address will not be published.