A security flaw in the cPanel web hosting application allows attackers to bypass the control identity two factors (2FA) with brute-force attacks on domains using vulnerable versions of cPanel – WebHost Manager (WHM).
CPanel is a management software that is installed on web hosting servers and allows administrators and site owners to automate server and page management, providing a graphical interface.
Η vulnerability has been recorded as CVE-2020-27641, and was discovered by the researchers Michael Clark and Wes Wright of Digital Defense.
Intruders could use CVE-2020-27641 to bypass 2FA on cPanel accounts on millions of sites because cPanel Security Policy does not prevent them from repeatedly submitting two-factor authentication codes.
“When MFA is enabled, a user can make as many attempts as they like to find it key of MFA without delays and without any ban to avoid a brute-force attack,” the researchers report.
"This leads to a scenario where an intruder with valid credentials could bypass MFA protections on an account in a matter of hours. "Our tests have shown that with the best coordination of the attack, it can be achieved in a matter of minutes."
The cPanel has already issued security updates for vulnerabilities in cPanel & WHM versions 11.92.0.2, 11.90.0.17 and 11.86.0.32. All new releases are available through the Software Update.
Of course, anyone using cPanel is advised to update immediately, or contact the company directly for more details if needed.