Microsoft Authenticator: Critical vulnerability allows token theft
Microsoft warns of a security vulnerability in Authenticator. Attackers can intercept sign-in tokens and gain access.
(Image: heise medien)
In Microsoft's Authenticator, attackers can exploit a critical security vulnerability to obtain sign-in tokens, enabling unauthorized access to resources. Updated apps are available.
Microsoft's vulnerability entry broadly discusses the issue. Sensitive information can fall into the hands of unauthorized actors as Microsoft Authenticator exposes information to attackers over the network. In the FAQ, Microsoft explains that the vulnerability can reveal the sign-in token for users' work accounts. This allows unauthorized individuals to access data and services that the user account is permitted to access, potentially including sensitive company information.
To exploit the vulnerability, attackers must trick a victim into interacting with a legitimate-looking malicious request. Once users confirm the request, attackers can trick the app into requesting access tokens on behalf of the users to deliver them to a service under the attackers' control. Affected users do not receive clear information about what access has been granted (CVE-2026-41615, CVSS 9.6, risk “critical”). However, NIST, in its NVD entry, only assigns a risk of “high” with CVSS 7.4.
Microsoft Authenticator: Updates Available
Updated versions of Microsoft's Authenticator are available in the respective app stores. On Android, version 6.2605.2973 and newer resolve the issue, while on iOS, software version 6.8.47 and later does. Those who have enabled automatic app updates for their mobile operating system will receive the update automatically. Users who have disabled this must open the Google Play Store or the iOS App Store and download and install the updated apps there.
Videos by heise
Microsoft further states that the vulnerability has not yet been exploited. No exploit is publicly available yet. Nevertheless, users of Microsoft Authenticator should ensure they are using the current version. The Authenticator displays the current version in the app menu under “Help,” then further down under “About” - “Application version.”
(dmk)
