cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.
The issue, tracked as “SEC-575” and discovered by researchers from Digital Defense, has been remedied by the company in versions 220.127.116.11, 18.104.22.168, and 22.214.171.124 of the software.
cPanel and WHM (Web Host Manager) offers a Linux-based control panel for users to handle website and server management, including tasks such as adding sub-domains and performing system and control panel maintenance. To date, over 70 million domains have been launched on servers using cPanel’s software suite.
The issue stemmed from a lack of rate-limiting during 2FA during logins, thus making it possible for a malicious party to repeatedly submit 2FA codes using a brute-force approach and circumvent the authentication check.
Digital Defense researchers said an attack of this kind could be accomplished in minutes.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication…