MEDIUM 5.3
KEV
CVE-2024-39891
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA Known Exploited Vulnerability
- Added to KEV
- 2024-07-23
- Remediation deadline
- 2024-08-13
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- Ransomware
- No
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| twilio | authy | iOS | <26.1.0 | cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:* |
| twilio | authy_authenticator | Android | <25.1.0 | cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:* |