An important and serious security flaw in Microsoft’s Authenticator has now been discovered to allow hackers to steal sign-in tokens and gain unauthorised access to resources; however, there are now new apps available.
Microsoft addresses the problem in general in their vulnerability entry. Because Microsoft Authenticator exposes information to attackers through the network, which may leak sensitive data, it may end up in the hands of unauthorized actors. Microsoft clarifies in the FAQ that the vulnerability may make the sign-in token for users’ work accounts public. This makes it possible for unauthorized people to access services and data that the user account is authorized to access, maybe including private company data.
Attackers must fool a victim into responding to a malicious request that appears authentic in order to take advantage of the vulnerability. Attackers can deceive the app into requesting access tokens on the users’ behalf and delivering them to a service under their control once users approve the request. Users that are impacted are not informed clearly about the type of access that has been provided (CVE-2026-41615, CVSS 9.6, risk “critical”). Nevertheless, NIST’s NVD entry only uses CVSS 7.4 to assign a risk of “high.”
Microsoft’s Authenticator has been updated and is accessible through the corresponding app stores. Software versions 6.8.47 and later on iOS fix the problem, while versions 6.2605.2973 and higher on Android do.
The update will be sent automatically to users whose mobile operating system has enabled automatic app updates. The updated apps must be downloaded and installed from the Google Play Store or the iOS App Store for users who have disabled this.
Microsoft goes on to say that no exploits have yet been made of the issue. As of yet, no exploit is accessible to the general public. However, users using Microsoft Authenticator should make sure that the version they are using is up to date. The current version is shown by the Authenticator in the app menu under “Help” and then further down under “About” under “Application version.”
The attack also exploits an unclaimed deep link protocol (ms-msa://) by tricking a user into downloading a malicious app, which intercepts authentication requests during a legitimate sign-in, and then it further manipulates Microsoft Authenticator into delivering session tokens to an attacker-controlled server. Once the tokens are stolen, the attacker bypasses passwords and MFA entirely, enabling actions such as password resets, removal of legitimate authentication methods, and registration of their own devices for persistent access, as demonstrated by threat groups like Storm-2949.
To address this critical flaw, users are immediately to do a quick update of Microsoft Authenticator to the latest version on all devices, enforce device-bound token protection in Microsoft Entra ID to cryptographically bind tokens to trusted hardware, rejecting any replayed from unauthorized devices, and shift high-risk users to phishing-resistant MFA like FIDO2 passkeys. Additionally, configure security monitoring to flag new device enrolments or MFA updates as high-risk alerts, enabling rapid response to any attempted tenant takeover.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
