—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Information Disclosure Vulnerability in Microsoft Authenticator

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Microsoft Authenticator for Android version 6.0.0 before 6.2605.2973

Microsoft Authenticator for iOS version 6.0.0 before 6.8.47

Overview

A vulnerability has been identified in Microsoft Authenticator which could allow an unauthenticated remote attacker to disclose sensitive information over a network.

Target Audience:

All end-user organizations and individuals using Microsoft Authenticator.

Risk Assessment:

Critical risk of sensitive information disclosure and potential unauthorized access to authentication-related resources.

Impact Assessment:

Elevation of privileges, unauthorized access to protected resources, and potential compromise of user authentication data.

Description

Microsoft Authenticator is a multi-factor authentication application developed by Microsoft that enables secure sign-in and authentication for Microsoft and third-party services.

This vulnerability exists in Microsoft Authenticator due to exposure of sensitive information to an unauthorized actor.

An unauthenticated remote attacker could exploit this vulnerability over a network by persuading a user to interact with specially crafted content or an authentication-related request.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to disclose sensitive information over a network.

Solution

Users are advised to apply appropriate updates as provided by the vendor:

https://msrc.microsoft.com/update-guide

Vendor Information

Microsoft

https://msrc.microsoft.com

References

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615

CVE Name

CVE-2026-41615

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoNzCwACgkQ3jCgcSdc

ys/1wA//XWph8YdQKL+FQwJvyPhDkjUcL0VkOmfX7NOyJofRwD3LOAoKAkc2+avG

M4ohK127Yv8CSZ52mjzs/BUqss5JpG1Dz4FCmWvnPE/MfO1t5pBhS79E4tbMkluh

HTi/tZECnTrqE58WBxgYRyHBbhItLmPjiAOVf4cEgorozcX2AfAWZnu8LnUEZyi6

G7Ag1Kkm8eF9QVNH2qGXXxaj2UFL14UAnt+b9YdxY/CCwvWsBEIMyTfpJlvlBTIT

wzpV3bAMrSyNhK2fV0Mlk6Jxhso6Uej7ZTsbAID9hTCCtDlLTc/0Qg87mf0y9Jh3

Dnee+FYmXyMsJ6q/Oh/aefGGyOemdvOV+gxInYlnCNblAYx3c3wBu+59vYcEd2EZ

AN8kb8uwNiMFZNBSvknezXQnNpR9tajSPVhzqln2EfsicmpoA7btsx2XiJOZXzKZ

3y9deJtKFsmFQgKatV5cm2txYX64jNQYMZFN3VZD44MawjZvuOJtyytDW42C3//B

nJWjGWp42EaUvKBUZSHjWBMHujQpOuS0feojY+qFJjqwdin5fZYNz9ldJPcuTizi

YX499S1JHS6GzkDky1BVJ3p4FfkJ9NiRRbwsogtXDmAWKIn7q1UZ7u/JqMDmn2an

dFLb92AJTuBooEWNyJ796J0jTT0TCR4xsENi/qSgyhTWyejvg2I=

=mr16

—–END PGP SIGNATURE—–