CVE-2024-39891

high-risk
Published 2024-07-02

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Do I need to act?

!
29.6% chance of exploitation in next 30 days
EPSS score — higher than 70% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Twilio

References (9)

Technical Description https://cwe.mitre.org/data/definitions/203.html
Press/Media Coverage https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-mill...
Product https://www.twilio.com/docs/usage/security/reporting-vulnerabilities
Release Notes https://www.twilio.com/en-us/changelog
Technical Description https://cwe.mitre.org/data/definitions/203.html
Press/Media Coverage https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-mill...
Product https://www.twilio.com/docs/usage/security/reporting-vulnerabilities
Release Notes https://www.twilio.com/en-us/changelog
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...
50
/ 100
high-risk
Severity 21/34 · High
Exploitability 22/34 · High
Exposure 7/34 · Low