cPanel & WHM Vulnerability
Digital Defense, Inc. is disclosing a vulnerability identified in cPanel & WHM discovered by our Vulnerability Research Team (VRT). The engineers at cPanel & WHM are to be commended for their prompt response to the identified flaw and their team’s work with VRT to provide prompt fixes for this cyber security issue.
cPanel & WHM has provided a patch for the vulnerability identified on the application. The patch is available for download via Software Update.
Digital Defense will not be providing an automated check for this flaw as validation and exploit techniques require specific conditions to be met that cannot be automated.
Details of the vulnerabilities are as follows:
DDI-VRT-2020-04 – cPanel & WHM 2FA bypass (CVE-2020-27641)
cPanel & WHM MFA Bypass
The MFA bypass can be leveraged by an attacker to circumvent MFA protections on accounts for which the attacker has valid credentials.
cPanel & WHM versions prior to 184.108.40.206, 220.127.116.11, and 18.104.22.168
When MFA is enabled, a user who has the feature enabled may submit as many attempts for the MFA key as they would like without any lockout or delays to prevent a brute force attack. This results in a scenario where an attacker with knowledge of valid credentials could bypass MFA protections on an account within a matter of hours. Our testing has demonstrated that with finer tuning of attack it can be accomplished in minutes.