Security Flaw in cPanel and WHM Allowed 2FA Bypasses

security flaw in cpanel could have led to 2fa bypass attacks article imageSecurity researchers just reported that cPanel, perhaps the most common provider of admin tools for web hosting, is vulnerable. Security flaws resided in cPanel and WebHost Manager (WHM) web hosting platform, enabling remote hackers with valid credentials to bypass two-factor authentication (2FA) on targeted accounts.

Digital Defense researchers discovered and reported one of the issues, which is now known as SEC-575. The good news is that the flaw is addressed in versions,, and of cPanel.

As explained by Digital Defense researchers, cPanel &WHM version (90.0 Build 5) contain a two-factor authentication bypass flaw. The issue could be used in brute force attacks, “resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.” Testing carried out by the team showed that an attack “can be accomplished in minutes.”

More about the issues in cPanel and WHM

The other issues are tracked as SEC-577 (Self-XSS vulnerability in WHM Transfer Tool interface) and SEC-567 (URL parameter injection vulnerabilities in multiple interfaces). You can learn more about them from the official advisory.

cPanel and WHM (Web Host Manager) provides a Linux-based control panel for web admins to control site and server management. Management tasks that can be performed with the software include adding sub-domains and system and control panel maintenance. Currently, more than 70 million domains operate via cPanel’s software.

According to cPanel’s official advisory, the SEC-575 issue stemmed from the lack of prevention of repeatedly submitting 2FA codes. This condition enabled hackers to circumvent 2FA checks via brute force techniques.

“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” the software provider added. Thе 2FA vulnerability was discovered by Michael Clark and Wes Wright of Digital Defense.

To avoid any attacks against your website, you should keep track of any pending updates of all the software you utilize.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.