cPanel and WHM hit by a serious security flaw

News
By published

Two-factor authentication bypass flaw could affect over 70m websites

cPanel
(Image credit: Marco Verch / Flickr)

A previously undisclosed vulnerability in the web hosting control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.

cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.

The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.

CPanel provided further details on the vulnerability in a recent security advisory, saying:

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

Two-factor authentication bypass flaw

According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.

Thankfully though, cPanel has patched the flaw in builds 11.92.0.2, 11.90.0.17, 11.86.0.32 and users just need to install the latest updates to avoid falling victim to any potential brute force attacks exploiting the vulnerability.

SVP of engineering at Digital Defense, Mike Cotton explained in a press release that the company promptly reached out to cPanel following its discovery, saying:

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.” 

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Website Hosting
Dark web scanning on a laptop
Hostinger integrates dark web scanning into hPanel
WordPress
WordPress Foundation bid for greater trademark control halted, adding to more legal setbacks for CEO Matt Mullenweg
The PebbleHost website.
PebbleHost review
An image of the Cloudways Copilot logo
AI managed web hosting: I spoke to Cloudways about its new tool and the benefits artificial intelligence brings to servers
SPanel
As cPanel increases prices SPanel's improved compatibility could shake up the web hosting world order
Web hosting logos next to a Cyber Monday image
Best Cyber Monday VPS deals: I'm a hosting expert and these are the top offers you will see all year
Latest in News
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
Google Pixel 9
Android 16 could bring an improved Samsung DeX-style desktop mode to more phones
An Nvidia GeForce RTX 4060 Ti
Nvidia could unleash RTX 5060 and 5060 Ti GPUs on PC gamers tomorrow, but there’s no sign of rumored RTX 5050 yet
AI writing
ChatGPT just wrote the most beautiful short story, and I wonder what I'm even doing here
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Windows 10 button on a keyboard
Microsoft’s Remote Desktop app becomes the Windows App
More about website hosting
Dark web scanning on a laptop

Hostinger integrates dark web scanning into hPanel
The PebbleHost website.

PebbleHost review
Apple products with Apple Intelligence against a white background

Apple rushed Apple Intelligence and now the company is stuck playing catch up
See more latest
Most Popular
Windows 10 button on a keyboard
Microsoft’s Remote Desktop app becomes the Windows App
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 13 (game #375)
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Thursday, March 13 (game #641)
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Quordle on a smartphone held in a hand
Quordle hints and answers for Thursday, March 13 (game #1144)
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
An Nvidia GeForce RTX 4060 Ti
Nvidia could unleash RTX 5060 and 5060 Ti GPUs on PC gamers tomorrow, but there’s no sign of rumored RTX 5050 yet
AI writing
ChatGPT just wrote the most beautiful short story, and I wonder what I'm even doing here
Google Pixel 9
Android 16 could bring an improved Samsung DeX-style desktop mode to more phones