2FA bypass found in web hosting software cPanel


A major security flaw was discovered in cPanel, the software suite used by web hosting companies to manage websites for their customers.

The security researchers from Digital Defense had found the bug that allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.

The cPanel accounts are used by website owners to access and manage their websites and underlying server settings. If a threat actor manages to attain access to these accounts then they could take total control over the victim’s site.

cPanel states on its website that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.

Digital Defense stated in a press release that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account.

Even though brute-forcing attacks usually take hours or days to execute, here the attack can take only a few minutes.

In order to exploit the bug, the threat actors also needed valid credentials for a targeted account and this can be obtained from phishing the website owner.

The website owners might not find this bug to be of importance, but since 2FA solutions were invented to protect against the use of phished credentials, any 2FA bypass like this bug must be looked upon with utmost urgency and attention.

The bug which has been dubbed as SEC-575 has been reported to the cPanel team for which they have already released patches last week.

All the website owners who use 2FA on their cPanel login can check if their web hosting provider has rolled out the update to their cPanel installation by checking the platform’s version number.

According to cPanel’s security advisory, the 2FA bypass issue has been patched in cPanel & WHM software,, and

It is advised that the users must not disable 2FA for their cPanel accounts due to this bug. Instead they must request their web hosting providers to update the cPanel installation to the latest version.

Image Credits : Hostinger

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    TikTok fixes bugs that allows account takeover with one click

    Previous article

    Baidu’s Android apps found collecting sensitive user data

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *