cPanel and WHM hit by a serious security flaw

(Image credit: Marco Verch / Flickr)

A previously undisclosed vulnerability in the web hosting control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.

cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.

The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.

CPanel provided further details on the vulnerability in a recent security advisory, saying:

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

Two-factor authentication bypass flaw

According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.

Thankfully though, cPanel has patched the flaw in builds,, and users just need to install the latest updates to avoid falling victim to any potential brute force attacks exploiting the vulnerability.

SVP of engineering at Digital Defense, Mike Cotton explained in a press release that the company promptly reached out to cPanel following its discovery, saying:

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.” 

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.