Home Hacking News Vulnerability In cPanel Two-factor Authentication Could Allow Brute-force Attacks
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

Vulnerability In cPanel Two-factor Authentication Could Allow Brute-force Attacks

by Abeerah Hashim
written by Abeerah Hashim
cPanel two-factor authentication vulnerability

Popular web hosting control platform cPanel had a major security bug. Specifically, the vulnerability affected the cPanel two-factor authentication feature that could allow password guessing brute force.

cPanel Two-factor Authentication Vulnerable

Reportedly, Digital Defense Inc has disclosed a serious security vulnerability in cPanel two-factor authentication.

Sharing the details via a press release, the cybersecurity firm revealed that the two-factor authentication feature in cPanel lacked an attempt limit. Hence, it became possible for an adversary to guess the 2FA code via brute-forcing upon knowing the valid login credentials. In turn, the attacker could take control of the entire website.

cPanel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.

Describing the vulnerability (SEC-575) in an advisory, cPanel stated,

The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.

According to Digital Defense, performing this attack would only take minutes.

Although, cPanel advisory shows that the vulnerability received a CVSS score of 4.3, which hints at its medium-severity. However, given the huge user base of cPanel, this serious vulnerability poses a threat to over 70 million domains.

Patches Rolled Out

Upon discovering the vulnerability, the researchers reached out to the vendors to report the bug.

Eventually, the cPanel team addressed the flaw and released fixes with builds 11.92.0.2, 11.90.0.17, and 11.86.0.32.

The researchers then disclosed the bug publicly after the patches arrived.

Despite that it had a vulnerability, applying 2FA is still important to protect the cPanel accounts. Therefore, users must check their respective cPanel platform versions to ensure running the updated version. This is particularly important for those who have enabled two-factor authentication on cPanel login.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses