DEV Community

Cover image for How Hackers Are Bypassing cPanel 2FA and What You Must Do Now
qudrat ullah
qudrat ullah

Posted on • Originally published at qudratullah.net

How Hackers Are Bypassing cPanel 2FA and What You Must Do Now

#cpanel #security #vulnerability #2fa

As engineers, we rely on layers of security to protect our work. One of the most trusted layers is two-factor authentication (2FA). It's the digital deadbolt on our front door. But what happens when that deadbolt can be picked in seconds? A critical vulnerability in cPanel, the web hosting control panel used by millions of websites, is being actively exploited right now. It allows attackers to bypass 2FA entirely.

This is not a theoretical problem. This is happening in the wild. If you manage or develop for websites hosted on cPanel, you need to understand this threat and act immediately. Let's break down the vulnerability, how it works, and what you need to do to protect your systems.

What is the Vulnerability (CVE-2023-29489)?

The vulnerability, officially known as CVE-2023-29489, affects cPanel & WHM (WebHost Manager). At its core, it is a flaw in the brute-force protection for the 2FA verification step.

Here is how it is supposed to work: when you enter your password correctly, the system asks for a 2FA code. If you enter the wrong code a few times (say, 3 or 5 times), the system should lock you out for a period. This is called rate-limiting, and it's a fundamental defense against brute-force attacks.

The cPanel vulnerability means this rate-limiting was not working correctly. An attacker who already has a valid username and password can try to guess the 2FA code an unlimited number of times, as fast as their computer can send requests. Since a typical 2FA code is just a 6-digit number, there are only one million possible combinations. A modern script can try all of them in minutes.

Think of it this way: your password is the main lock on a door. 2FA is a second, smaller lock. The flaw means an attacker can try every possible key for that second lock at machine speed without ever being stopped.

How the Exploit Works Step-by-Step

The attack requires two things: a valid username-password pair and a vulnerable cPanel instance. The first part is usually achieved through phishing or credential stuffing, where attackers use passwords leaked from other data breaches.

Once they have the credentials, the process is dangerously simple.

A flowchart showing the cPanel exploit. An attacker with a password logs in, then uses a script to loop through 2FA codes. A vulnerable cPanel does not rate limit the attempts, allowing the loop to continue until the correct code is found, granting full access.

  1. Obtain Credentials: The attacker gets a working username and password for a cPanel account. This is the entry ticket.
  2. Initial Login: They use these credentials to log in. The system correctly validates the password and proceeds to the next step: the 2FA challenge.
  3. Brute-Force the 2FA Code: The cPanel login form asks for the 6-digit code from the user's authenticator app. Instead of entering one code, the attacker launches a script that sends hundreds or thousands of login requests per second, each with a different 2FA code (from 000000 to 999999).
  4. Bypass and Gain Access: Because the rate-limiting is broken, cPanel does not block these repeated attempts. Within a short time, the script hits the correct code. The attacker is authenticated and gains full administrative access to the cPanel account.

Once inside, they have the keys to the kingdom. They can access databases, read source code, install malware, deface your website, or use your server to attack others.

A Simple Brute-Force Simulation

To make this more concrete, here is a simplified Python script that demonstrates the logic of a brute-force attack. This is for educational purposes only, to show how trivial it is to automate these attempts.

import requests

# WARNING: This code is for educational purposes only.
# Do not use it for any unauthorized or malicious activity.

TARGET_URL = 'https://your-cpanel-domain.com:2083/login'
USERNAME = 'stolen_user'
PASSWORD = 'stolen_password'

# Create a session to persist cookies after password auth
session = requests.Session()

# Note: A real exploit would first handle the initial password login.
# This example focuses on the 2FA brute-force part.

print("Starting 2FA brute-force simulation...")

# Loop through all possible 6-digit codes
for code_int in range(1000000):
    # Format the code as a 6-digit string with leading zeros
    tfa_code = f"{code_int:06d}"

    # The payload would contain the 2FA code
    payload = {
        'user': USERNAME,
        'pass': PASSWORD, # In a real scenario, this might be a session token
        'tfa_code': tfa_code
    }

    try:
        # In a real exploit, the attacker would check the response
        # to see if the login was successful.
        # response = session.post(TARGET_URL, data=payload)

        # For simulation, we just print progress
        if code_int % 1000 == 0:
            print(f"Attempting code: {tfa_code}")

        # if "Login Successful" in response.text:
        #     print(f"\nSuccess! Code found: {tfa_code}")
        #     break

    except requests.exceptions.RequestException as e:
        print(f"An error occurred: {e}")
        break

print("\nSimulation finished.")
Enter fullscreen mode Exit fullscreen mode

This script loops from 0 to 999,999, formats each number as a 6-digit code, and simulates sending it in a request. A real attacker's script would be more sophisticated, using multiple threads to run much faster, but the core logic is the same.

What You Must Do Right Now

Protecting your systems requires immediate and layered action. Do not assume you are safe.

1. Update cPanel & WHM Immediately

This is the most critical step. The vulnerability was patched by the cPanel team. You must ensure your server is running one of the fixed versions or a newer one:

  • 110.0.13 or later
  • 108.0.13 or later
  • 102.0.20 or later

If you manage your own server, run the update yourself. If you use a managed hosting provider, contact them and confirm they have patched their systems. Do not just assume they have. Ask for confirmation. You can check your cPanel version by logging in and looking at the version number, usually in the footer or sidebar.

2. Enforce Strong, Unique Passwords

Remember, this exploit requires the attacker to have a valid password first. The single best thing you can do to prevent this and many other attacks is to use a strong, unique password for your cPanel account. Use a password manager to generate and store it. If you have been reusing a password, change it now.

3. Monitor Your Logs

Even on a patched system, monitoring for suspicious activity is a good practice. A failed brute-force attack will still leave traces. Look for a massive number of failed login attempts from a single IP address in your cPanel access logs (/usr/local/cpanel/logs/login_log). A flood of POST requests to the login endpoint is a clear indicator someone is trying to get in.

4. Use a Web Application Firewall (WAF)

A well-configured WAF can provide an extra layer of protection. Tools like ModSecurity (often included with cPanel) or external services like Cloudflare can be configured with rules to detect and block brute-force patterns before they even reach cPanel. For example, you can set a rule to temporarily ban an IP that makes more than 10 failed login attempts in a minute.

5. Restrict Access by IP Address

For maximum security, you can configure WHM or your server's firewall to only allow logins from specific, trusted IP addresses (like your office or home network). This completely blocks login attempts from anywhere else. The trade-off is convenience. If you need to log in from a new location, you have to add your new IP to the allow-list first. For high-value servers, this is a trade-off worth making.

The Bigger Lesson: Defense in Depth

This cPanel vulnerability is a powerful reminder that no single security measure is foolproof. 2FA is excellent, but a bug in its implementation can render it useless. This is why we practice "defense in depth".

  • A strong password would have stopped the attacker from even reaching the 2FA stage.
  • A patched cPanel instance would have correctly rate-limited the 2FA attempts.
  • A WAF might have blocked the attack pattern at the network edge.
  • IP whitelisting would have prevented the attacker from connecting at all.
  • Log monitoring would help you detect the attempt, even if it failed.

Each layer provides another chance to stop an attack. When one layer fails, another is there to catch it. As developers and system administrators, our job is not to find a single perfect solution, but to build a resilient system with multiple, overlapping defenses.

About the Author

Hi, I'm Qudrat Ullah, an Engineering Lead with 10+ years building scalable systems across fintech, media, and enterprise. I write about Node.js, cloud infrastructure, AI, and engineering leadership.

Find me online: LinkedIn ยท qudratullah.net

If you found this useful, share it with a fellow engineer or drop your thoughts in the comments.

Originally published at www.qudratullah.net.

Top comments (0)