Thursday, April 24, 2025
HomeCVE/vulnerabilitycPanel 2FA Bypass Exposes Tens of Millions of Websites to Hack

cPanel 2FA Bypass Exposes Tens of Millions of Websites to Hack

Published on

SIEM as a Service

Follow Us on Google News

Digital Defense, Inc., a leader in vulnerability and threat management solutions, announced that its Vulnerability Research Team (VRT) exposed a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.

cPanel & WHM is a suite of tools built for Linux OS that enables hosting providers and users the ability to automate server management and web hosting tasks. The software suite is currently used to manage above 70 million domains across the globe.

Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. These interfaces were using URL encoding on the parameters rather than URI encoding. Due to this fault, a cPanel & WHM user could be misled into performing actions they did not intend.

- Advertisement - Google News

The cPanel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass defect, susceptible to brute force attack.

 An attacker with knowledge of or access to valid credentials could evade two-factor authentication protections on an account. Digital Defense’s in-house testing demonstrated that an attack will be get done in minutes.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. 

This problem was addressed with the release of the following builds:

  • 11.92.0.2
  • 11.90.0.17
  • 11.86.0.32

The Digital Defense, Vulnerability Research Team right away makes contact with the affected vendor to notify the organization of the new finding(s) and help out, wherever possible, with the vendor’s remediation actions.

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability,” states Mike Cotton, senior vice president of engineering at Digital Defense.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Ensiko – A PHP Based Web Shell with Ransomware Capabilities Attacks PHP Installation

Hackers using weaponized TeamViewer to Attack & Gain Full Control of the Government Networks

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Redis DoS Flaw Allows Attackers to Crash Servers or Drain Memory

A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash...

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...

Critical Langflow Flaw Enables Malicious Code Injection – Technical Breakdown Released

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score...

GitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs

GitLab, a leading DevOps platform, has released a critical security patch impacting both its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Redis DoS Flaw Allows Attackers to Crash Servers or Drain Memory

A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash...

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...

Critical Langflow Flaw Enables Malicious Code Injection – Technical Breakdown Released

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score...