CVE-2024-39891 - Vulnerability Details - OpenCVE

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since July 23, 2024.

Exploitation active

Automatable yes

Technical Impact partial

Vendors	Products
Twilio	Authy Authy 2-factor Authentication Authy Authenticator

Configuration 1 [-]

OR	cpe:2.3:a:twilio:authy::::::iphone_os::*
	cpe:2.3:a:twilio:authy_authenticator::::::android::*

No data.

References

Link	Providers
https://cwe.mitre.org/data/definitions/203.html
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities
https://www.twilio.com/en-us/changelog

History

Wed, 30 Jul 2025 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Twilio authy 2-factor Authentication
CPEs		cpe:2.3:a:twilio:authy_2-factor_authentication::::::::
Vendors & Products		Twilio authy 2-factor Authentication
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-02T00:00:00.000Z

Updated: 2025-07-30T01:36:37.977Z

Reserved: 2024-07-02T00:00:00.000Z

Link: CVE-2024-39891

Vulnrichment

Updated: 2024-08-02T04:33:11.402Z

NVD

Status : Analyzed

Published: 2024-07-02T18:15:03.447

Modified: 2024-12-20T16:15:33.687

Link: CVE-2024-39891

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39891", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-07-30T01:36:37.977Z", "dateReserved": "2024-07-02T00:00:00.000Z", "datePublished": "2024-07-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423Z"}, "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39891", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T03:55:42.678226Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891"}}}], "affected": [{"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "timeline": [{"time": "2024-07-23T00:00:00+00:00", "lang": "en", "value": "CVE-2024-39891 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:36:37.977Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39891", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-07-28T19:43:09.605Z", "dateReserved": "2024-07-02T00:00:00.000Z", "datePublished": "2024-07-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423Z"}, "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39891", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T03:55:42.678226Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891"}}}], "affected": [{"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T18:29:13.344Z"}, "timeline": [{"time": "2024-07-23T00:00:00+00:00", "lang": "en", "value": "CVE-2024-39891 added to CISA KEV"}], "title": "CISA ADP Vulnrichment"}]}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-08-13", "cisaExploitAdd": "2024-07-23", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Twilio Authy Information Disclosure Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "F645AEA3-6ACC-4386-ACA9-793E66DBF31E", "versionEndExcluding": "26.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*", "matchCriteriaId": "07B60ED3-2C9B-46F8-9B6C-1FFB46067D06", "versionEndExcluding": "25.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}, {"lang": "es", "value": "En la API de Twilio Authy, a la que acced\u00edan Authy Android antes de la versi\u00f3n 25.1.0 y Authy iOS antes de la versi\u00f3n 26.1.0, un endpoint no autenticado proporcionaba acceso a determinados datos de n\u00fameros de tel\u00e9fono, como se explot\u00f3 en junio de 2024. En concreto, el endpoint aceptaba un flujo de solicitudes que conten\u00edan n\u00fameros de tel\u00e9fono y respond\u00eda con informaci\u00f3n sobre si cada n\u00famero de tel\u00e9fono estaba registrado en Authy. (Sin embargo, las cuentas de Authy no se vieron comprometidas)."}], "id": "CVE-2024-39891", "lastModified": "2024-12-20T16:15:33.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-02T18:15:03.447", "references": [{"source": "[email protected]", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/203.html"}, {"source": "[email protected]", "tags": ["Press/Media Coverage"], "url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://www.twilio.com/en-us/changelog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/203.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.twilio.com/en-us/changelog"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}