CVE-2024-39891
Published: 02 July 2024
Summary
CVE-2024-39891 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Twilio Authy. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
Deeper analysis
The vulnerability CVE-2024-39891 resides in the Twilio Authy API accessed by Authy Android before version 25.1.0 and Authy iOS before version 26.1.0. An unauthenticated endpoint exposed limited phone-number data by accepting requests that queried registration status, returning whether each supplied number was associated with an Authy account. The issue is classified under CWE-203 with a CVSS score of 5.3.
Unauthenticated remote attackers could exploit the endpoint by submitting streams of phone numbers in rapid succession and parsing the responses to determine registration status. This allowed enumeration of users relying on Authy for MFA without compromising account credentials or further access.
Public references, including Twilio's security reporting page and changelog, document the flaw alongside independent reporting that the endpoint was abused in the wild during June 2024 to verify millions of phone numbers.
The EPSS score rose from lower values to a peak of 0.2958 on 2026-02-07 before receding to the current 0.1707, indicating a clear post-disclosure increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38291
Vulnerability details
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of…
more
requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
- CWE(s)
- KEV Date Added
- 23 July 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.
Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.
Prevents attackers from using observable differences in error responses to infer internal system details or state.