Cyber Resilience

CVE-2024-39891

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 02 July 2024

Published
02 July 2024
Modified
05 November 2025
KEV Added
23 July 2024
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1707 95.1th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39891 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Twilio Authy. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

The vulnerability CVE-2024-39891 resides in the Twilio Authy API accessed by Authy Android before version 25.1.0 and Authy iOS before version 26.1.0. An unauthenticated endpoint exposed limited phone-number data by accepting requests that queried registration status, returning whether each supplied number was associated with an Authy account. The issue is classified under CWE-203 with a CVSS score of 5.3.

Unauthenticated remote attackers could exploit the endpoint by submitting streams of phone numbers in rapid succession and parsing the responses to determine registration status. This allowed enumeration of users relying on Authy for MFA without compromising account credentials or further access.

Public references, including Twilio's security reporting page and changelog, document the flaw alongside independent reporting that the endpoint was abused in the wild during June 2024 to verify millions of phone numbers.

The EPSS score rose from lower values to a peak of 0.2958 on 2026-02-07 before receding to the current 0.1707, indicating a clear post-disclosure increase in exploitation interest.

EU & UK References

Vulnerability details

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of…

more

requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

CWE(s)
KEV Date Added
23 July 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

twilio
authy
≤ 26.1.0
twilio
authy authenticator
≤ 25.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

addresses: CWE-203

Prevents attackers from using observable differences in error responses to infer internal system details or state.

References