Vulnerability allowed bypassing 2FA in WHM & cPanel by bruteforcing

The vulnerability (CVE-2020-27641) allowed malicious actors to bypass two-factor authentication (2FA) on the software using brute-force attacks.

In the web hosting world, both the Web Hosting Manager (WHM) and cPanel are 2 products that have played a crucial role in making things easy for webmasters.

Add to this the various tools available like Softaculous at one’s hand, someone who doesn’t know much about coding could implement a range of features like installing new websites in one click. However, it is important to understand that the entire setup in itself could be vulnerable as well.

Keeping this in mind, Digital Defense, a US-based cybersecurity company has recently discovered a vulnerability in their version 11.90.0.5 named CVE-2020-27641 which allowed malicious actors to bypass two-factor authentication (2FA) on the software using brute-force attacks.



This was mainly because a person could make unlimited tries when entering the 2FA code allowing them to try different guesses. However, to be prompted for the 2FA in the first place, the attacker should have known the login credentials for a specific account which makes gaining access not so easy.

To conclude, currently, cPanel has issued patches and users can protect themselves by updating to its latest version. If you think on the other hand that you may have been a victim of such an attack, it is best to contact their support team who can help you secure your account further on.

For the future, this remains a lesson of responsibility for other software companies seeing how fast cPanel responded admitting its mistake. In this regards, Digital Defense stated in its blog post that,

The engineers at cPanel & WHM are to be commended for their prompt response to the identified flaw and their team’s work with Vulnerability Response Team to provide prompt fixes for this cyber security issue.

Full disclosure from cPanel is available here.

You may also like...