Security News > 2020 > November > cPanel 2FA bypassed in minutes via brute-force attacks

cPanel 2FA bypassed in minutes via brute-force attacks
2020-11-26 09:51

A security flaw in the cPanel web hosting control panel allows attackers to circumvent two-factor authentication checks via brute-force attacks for domains managed using vulnerable cPanel & WebHost Manager versions.

Attackers could abuse CVE-2020-27641 to bypass 2FA for cPanel accounts on potentially millions of websites because cPanel's Security Policy did not block them from repeatedly submitting two-factor authentication codes.

cPanel has issued security updates to address the vulnerability in cPanel & WHM versions 11.92.0.2, 11.90.0.17, and 11.86.0.32, available for download via Software Update.

On updated cPanel versions, attempts to brute force 2FA protection on any accounts will result in primary password validation failures with future attack attempts being rate limited by cPHulk.

"Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues."


News URL

https://www.bleepingcomputer.com/news/security/cpanel-2fa-bypassed-in-minutes-via-brute-force-attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-07 CVE-2020-27641 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER.
0.0
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cpanel 5 53 214 100 16 383