CVE-2024-39891
MEDIUM KEVTwilio Authy < 26.1.0 (iOS) and < 25.1.0 (Android) - Unauthenticated Phone Number Enumeration via API Endpoint
Title source: llmExploitation Summary
CVE-2024-39891 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 23, 2024.
Description
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
References (5)
Core 5
Core References
Technical Description
https://cwe.mitre.org/data/definitions/203.html
Press/Media Coverage
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/
Release Notes
https://www.twilio.com/en-us/changelog
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891
Scores
CVSS v3
5.3
EPSS
0.1707
EPSS Percentile
95.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
partial
Details
CISA KEV
2024-07-23
VulnCheck KEV
2024-07-02
InTheWild.io
2024-07-03
ENISA EUVD
EUVD-2024-38291
CWE
CWE-203
Status
published
Products (2)
twilio/authy
< 26.1.0
twilio/authy_authenticator
< 25.1.0
Published
Jul 02, 2024
KEV Added
Jul 23, 2024
Tracked Since
Feb 18, 2026