cPanel and WHM hit by a serious security flaw

A previously undisclosed vulnerability in the web hosting control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.

cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.

The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.

CPanel provided further details on the vulnerability in a recent security advisory, saying:

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

Two-factor authentication bypass flaw

According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.

Thankfully though, cPanel has patched the flaw in builds 11.92.0.2, 11.90.0.17, 11.86.0.32 and users just need to install the latest updates to avoid falling victim to any potential brute force attacks exploiting the vulnerability.

SVP of engineering at Digital Defense, Mike Cotton explained in a press release that the company promptly reached out to cPanel following its discovery, saying:

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

How It works

Search Crack for

Latest IT News

Jan 15
Keyble features fingerprint authentication allowing users to make contactless payments and access digital services.
Jan 15
The Microsoft Teams recap feature will allow users to access important information from a meeting following its conclusion.
Jan 15
IBM has acquired managed service provider Taos in a deal expected to close in the first quarter of 2021.
Jan 15
The social network argues the extensions acted as spyware.
Jan 14
TeamViewer's new integration allows users to make video calls directly from the company's remote desktop software.
Jan 14
From casual microblogging to the fully-featured professional blog.
Jan 14
Putting together an online portfolio of your work doesn't have to be difficult or expensive.

Latest cracks