cPanel and WHM hit by a serious security flaw

News
By published

Two-factor authentication bypass flaw could affect over 70m websites

cPanel
(Image credit: Marco Verch / Flickr)

A previously undisclosed vulnerability in the web hosting control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.

cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.

The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.

CPanel provided further details on the vulnerability in a recent security advisory, saying:

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

Two-factor authentication bypass flaw

According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.

Thankfully though, cPanel has patched the flaw in builds 11.92.0.2, 11.90.0.17, 11.86.0.32 and users just need to install the latest updates to avoid falling victim to any potential brute force attacks exploiting the vulnerability.

SVP of engineering at Digital Defense, Mike Cotton explained in a press release that the company promptly reached out to cPanel following its discovery, saying:

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.” 

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Website Hosting
cybersecurity
A helpful guide to the type of web hosting should you use
A cloud symbol imposed over a bank of servers in a data center.
What is cloud hosting and who needs it?
Minecraft game server hosting for streamers heading - The Minecraft logo above a Minecraft landscape.
I tried 15 hosts for streaming and hosting Minecraft games and these are the best
Dark web scanning on a laptop
Hostinger integrates dark web scanning into hPanel
WordPress
WordPress Foundation bid for greater trademark control halted, adding to more legal setbacks for CEO Matt Mullenweg
The PebbleHost website.
PebbleHost review
Latest in News
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
More about website hosting
cybersecurity

A helpful guide to the type of web hosting should you use
Minecraft game server hosting for streamers heading - The Minecraft logo above a Minecraft landscape.

I tried 15 hosts for streaming and hosting Minecraft games and these are the best
Apple WWDC 2025 announced

Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
See more latest
Most Popular
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies