A gap security in cPanel web hosting application allows attackers to bypass two-factor authentication (2FA) with brute-force attacks on domains using vulnerable versions of cPanel – WebHost Manager (WHM).
cPanel is a management software that is installed on web hosting servers and allows web site administrators and owners to automate the management of the server and σελίδαs, offering a graphic environment.
Η vulnerability has been recorded as CVE-2020-27641, and was discovered by researchers Michael Clark and Wes Wright of Digital Defense.
Attackers could use CVE-2020-27641 to bypass 2FA on cPanel accounts in millions websites because cPanel's Security Policy does not block them when they submit repeatedly codeof two-factor authentication.
“When MFA is enabled, a user can make as many attempts as they like to find it key of MFA without delays and without any ban to avoid a brute-force attack,” the researchers report.
“This leads to a scenario where an attacker with knowledge of valid credentials could bypass MFA protections on a account within a few hours. Our tests have shown that with the best coordination of the attack it can be achieved in minutes.”
The cPanel has already issued security updates to address the vulnerability in cPanel & WHM versions 11.92.0.2, 11.90.0.17 and 11.86.0.32. All new versions are available through Update software.
Of course, anyone using cPanel is advised to update immediately, or contact the company directly for more details if needed.