cPanel 2-Factor Auth Bypass

November 30, 2020

Table of Contents

2-Factor Authentication Bypass hole in WHM cPanel security has been Reported effected WHM resellers.

cPanel, a software provider to manage web hosting/websites, has recently patched a security vulnerability that allowed hackers with access to valid credentials to a cPanel account on the server, gaining cPanel bypassing the two-factor authentication (2FA) protection on an account.

The issue which is tracked as “SEC-575” and is discovered by researchers from Digital Defense.

The issue came from a lack of rate-limiting during 2FA during cPanel account logins, making an opportunity possible for a hacker/opportunist to repeatedly submit 2FA codes using the brute-force approach which eventually bypasses/hacks the authentication check.

Researchers have recently as of November 2020 said known attacks of this kind could be accomplished within minutes.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” cPanel said in this advisory. “This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”

cPanel has now addressed the flaw by adding a rate limit check to its cPHulk brute-force protection service, causing a failed validation of the 2FA code/codes to be treated as a failed login.

This is not the first time the absence of rate-limiting has posed a serious security concern, issues like this should not have happened but the issue was dealt with quickly which is what we would expect. At 247Rack we have no reports of any bypasses so do not worry and we are confident cPanel is still secure and always will be.

During July of 2020, the video conferencing company called Zoom fixed a security loophole that could of allowed any hackers/attackers to break/bypass the numeral passcode used to secure Zoom private meetings on the platform also enabling spying on all active participants of a target bypassed.

It’s recommended that all 247Rack cPanel customers using Cpanel to carry out commands or login to the admin panel and update apply the patches to mitigate the risk associated with the security flaw. We would highly recommend opensource software Jitsi, a self-hosted instance that can be easily setup with any 247Rack server.

Share on
More posts

Dedicated Servers Quick Guide

What is a Dedicated Servers? Why bother using a dedicated server over a VPS or Shared Hosting?A dedicated server is a server 100% dedicated to your website/project or business needs.

A Look at vCenter 5.5 SSO RC Installation

vCenter single sign on (SSO)  vsphere 5.5  release has several improvements, like the following: Completely re-written from the ground Multi-master architecture Native replication mechanism SSO now has site awareness (think

vSphere 5.1 New Storage Features

VMFS File Sharing Limits In previous versions of vSphere, the maximum number of hosts which could share a read-only file on a VMFS volume was 8. The primary use case

Get 90% Discount

First 3 People gets the Bonus!
Don't Miss Out Our Big Sale

Get 0-90% On All
247Rack Services


The Sale Is Until The End Of March