A bug discovered in cPanel allows bypassing two-factor authentication

Major security flaw can lead to attacks on web hosting companies: more than 70 million sites managed via cPanel software

Digital Defense noticed a 2FA bug in cPanel securityAttackers might have been brute-forcing cPanel accounts of web hosting companies.

Security researchers revealed that a serious vulnerability in cPanel could lead to major issues with all the client accounts.[1] The cPanel software suite is used by various web hosting companies that manage websites for their customers. This flaw, discovered by the Digital Defense research team, allows an attacker to bypass the 2AF for cPanel accounts. Critical access to such accounts can lead to major issues, and the worst part is that such an attack takes only a few minutes.[2]

cPanel account credentials can be accessed with all the functions like managing the website and server settings. Once such an account gets compromised, threat actors have full control over those domains across the world. It is known that the company has more than 70 million separate sites that get managed using cPanel software.

The company patched this security vulnerability that could have allowed access to valid credentials without permissions required.[3] The issue tracked as SEC-575[4] should be remediated with versions,, and

The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.

Malicious parties used a brute-force approach

The press release from Digital Defense stated that the implementation of two-factor authentication on older cPanel versions was vulnerable to brute-force attacks. This is how attackers managed to guess URL parameters and bypass the 2FA when it was enabled on the account.

Brute-forcing attacks[5] are generally pretty difficult and take time. It requires at least hours or even days to execute. However, the particular case shows that hacking only takes a few minutes. Exploiting the security flaw requires attackers to have login credentials that are valid for the particular targeted account. Phishing, the owner of the website can help with that.

The importance of two-factor authentication

Two-factor authentication is crucial, and such solutions were released to protect against attacks when credentials obtained maliciously get used to hack further for sensitive and valuable data. Such bugs that allow bypassing authentication need to get terminated, issues patched, and security measures are taken when they are supposed to be taken.

Fortunately, these findings of security flaws were indicated to the company immediately after the discovery. So the company managed to issue patches for the vulnerability. Website owners who use 2FA on their cPanel logins should see if the web hosting provider released updates to the installation.

It is strongly advised to keep the two-factor authentication enabled for the cPanel accounts still. Considering the security flaw, you can request the web hosting provider to update the cPanel to the latest version as soon as possible. The company also adding a rare limit check to the cPHulk brute-force protection service. This measure means that a failed validation of the two-factor authentication also counts as a failed login to the account.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions