cbcvebase.
CVE-2024-39891
published 2024-07-02

CVE-2024-39891: In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-08-13
Exploited in the wild
EPSS
1.48%
70.6th percentile
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Affected

2 ranges
VendorProductVersion rangeFixed in
twilioauthy< 26.1.026.1.0
twilioauthy_authenticator< 25.1.025.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated requests to the Twilio Authy API endpoint that accept a stream of phone numbers and return registration status — monitor for bulk enumeration patterns against the Authy API without authentication headers
  • Flag unauthenticated API calls to Twilio Authy endpoints that include phone number parameters in the request body or query string, particularly in high-volume sequences indicative of enumeration
  • Prioritize detection on Authy Android versions before 25.1.0 and Authy iOS versions before 26.1.0, as these versions communicate with the vulnerable unauthenticated API endpoint
  • ·Exploitation was confirmed in the wild in June 2024; Authy accounts themselves were not compromised — the vulnerability only exposed whether a phone number was registered with Authy (information disclosure, not account takeover)
  • ·Vendor advisory and changelog are available at the Twilio changelog URL referenced by CISA; detections should be validated against vendor-confirmed endpoint details from that source

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.