Researchers have uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform. cPanel &WHM version 18.104.22.168 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.
cPanel’s 2-factor authentication could be bypassed because it did not lock users out for failed attempts. This and a lack of rate-limiting meant that attackers could use a script to simply try every possible 2-factor code until they found the right one. The result is that this 2-factor implementation was little more than window dressing.