A security loophole in the cPanel web hosting application allows intruders to bypass two-factor authentication (2FA) with brute-force attacks on domains that use vulnerable versions of cPanel - WebHost Manager (WHM).
CPanel is a management software that is installed on web hosting servers and allows administrators and site owners to automate server and page management, providing a graphical interface.
The vulnerability has been recorded as CVE-2020-27641, and was discovered by researchers Michael Clark and Wes Wright of Digital Defense.
Intruders could use CVE-2020-27641 to bypass 2FA on cPanel accounts on millions of sites because cPanel Security Policy does not prevent them from repeatedly submitting two-factor authentication codes.
"Once the MFA is enabled, a user can make as many attempts as they want to find the MFA key without delay and without a ban to prevent a brute-force attack," the researchers said.
"This leads to a scenario where an intruder with valid credentials could bypass MFA protections on an account in a matter of hours. "Our tests have shown that with the best coordination of the attack, it can be achieved in a matter of minutes."
The cPanel has already issued security updates for vulnerabilities in cPanel & WHM versions 220.127.116.11, 18.104.22.168 and 22.214.171.124. All new releases are available through the Software Update.
Of course, anyone using cPanel is advised to update immediately, or contact the company directly for more details if needed.