CVE-2026-41615 – Microsoft Authenticator Information Disclosure Vulnerability

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Set an App Vulnerability policy to an appropriate response level as per your compliance policy. Lookout will release coverage for the vulnerable versions of the application on both iOS (below 6.8.47) and Android (below 6.2605.2973) on May 28th, 2026 , prompting users to update the app immediately.
Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from the malicious phishing campaigns that serve as the initial delivery mechanism for exploiting this vulnerability — particularly spearphishing links designed to trigger the information disclosure.

Overview

Microsoft has released an update to its Authenticator application to address a vulnerability that has been identified as actively exploitable. The patched versions, Android 6.2605.2973 and iOS 6.8.47, contain critical security fixes for the following CVE:

CVE-2026-41615: Could allow an unauthorized attacker to disclose sensitive information over a network by exploiting a flaw in how Microsoft Authenticator handles data exposure

Microsoft has rated this vulnerability 9.6 (Critical) on the CVSS 3.1 scale, while NIST rates it 7.4 (High). Microsoft's evaluation indicates that the vulnerability scores high on integrity, availability as well as confidentiality, which accounts for the difference in severity ratings.

Lookout Analysis

CVE-2026-41615 is particularly significant because it targets Microsoft Authenticator — an application that serves as a primary multi-factor authentication (MFA) mechanism for enterprise users. Successful exploitation could expose sensitive authentication credentials or tokens, potentially allowing an attacker to bypass MFA protections entirely and gain unauthorized access to enterprise resources.

This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and requires user interaction to trigger, making it well-suited for delivery via a phishing attack (MITRE ATT&CK T1566.002). An attacker could craft a malicious network payload or lure a target to interact with attacker-controlled content, causing the app to leak sensitive authentication data back over the network.

Because Microsoft Authenticator is widely deployed in enterprise environments as the cornerstone of Zero Trust access policies, compromise of this app represents a high-value target for threat actors seeking to escalate privileges or move laterally within an organization. The exploitation of this vulnerability could expose enterprise sign-in access tokens. Such a disclosure would permit an unauthorized actor to access the same data and services as the compromised user, including highly sensitive organizational resources.

To help protect against this threat, Lookout takes a multifaceted approach to defend mobile users from attack chains that begin with phishing campaigns and leverage app-level vulnerabilities to steal credentials or authentication tokens. Lookout's app risk detection continuously monitors for vulnerable application versions, while device-level compromise detection monitors overall device health.