A security flaw in the cPanel web hosting application allows attackers to bypass two-factor authentication (2FA) with attacks brute-force on domains that use vulnerable versions of cPanel – WebHost Manager (WHM).
CPanel is a management software that is installed on web hosting servers and allows administrators and site owners to automate server and page management, providing a graphical interface.
The vulnerability has been recorded as CVE-2020-27641, and was discovered by researchers Michael Clark and Wes Wright companys Digital Defense.
Intruders could use CVE-2020-27641 to bypass 2FA on cPanel accounts on millions of sites because cPanel Security Policy does not prevent them from repeatedly submitting two-factor authentication codes.
“When MFA is enabled, one user it can make as many attempts as it wants to find the MFA key without delays and without a ban to avoid a brute-force attack,” the researchers report.
"This leads to a scenario where an intruder with valid credentials could bypass MFA protections on an account in a matter of hours. "Our tests have shown that with the best coordination of the attack, it can be achieved in a matter of minutes."
The cPanel has already issued security updates for vulnerabilities in cPanel & WHM versions 11.92.0.2, 11.90.0.17 and 11.86.0.32. All new releases are available through the Software Update.
Of course, anyone using cPanel is advised to update immediately, or contact the company directly for more details if needed.