Two-step verification on cPanel was bypassed with brute force attack

There is a vulnerability in cPanel that allows bypassing two-step verification of accounts. There was no limit to the number of 2fa codes that could be attempted in the control unit, which would allow a code to be generated through a brute force attack.

According to the developers, the vulnerability is in versions 92, 90 and version 86, and in older versions of cPanel & WebHost Manager. The leak was discovered by Digital Defense security researchers. The leak made it possible to bypass the two-step verification of cPanel accounts. The software is popular and is used on millions of websites to control the management of websites and their users. CPanel is mainly used with hosting and reseller providers that offer the software with hosting packages.

According to the researchers at Digital Defense, it was possible to brute force the two-step verification codes. An incorrectly entered code was not validated as a suspicious login attempt, allowing an attacker to try an unlimited number of 2fa codes. Because they usually consist of six digits, this could be done relatively quickly. Attackers had to have the user’s credentials first.

The researchers have passed the bug to cPanel. That has since released patches. The bug has been fixed in versions 11.92.0.2, 11.90.0.17 and 11.86.0.32. The researchers advise users not to turn off their two-step verification as a temporary solution, but to ask website administrators to update cPanel.