Microsoft Calls It Information Disclosure. The Rest of Us Call It MFA Bypass.

News & Analysis

Microsoft Calls It Information Disclosure. The Rest of Us Call It MFA Bypass.

By Noel Bradford ·

Microsoft has a critical vulnerability in its own bloody MFA app. The thing it has spent five years telling you to install instead of SMS. The thing it tells you is the secure choice for protecting your business. The thing now sitting on millions of UK work phones with a critical CVSS 9.6 vulnerability that lets attackers walk away with your work-account session.

And the kicker? Microsoft’s own CVE entry calls it “information disclosure”. As if losing a sign-in token to an attacker is the same as accidentally leaking your office Wi-Fi password to a contractor.

It is not. CVE-2026-41615 is an MFA bypass with a polite label. Patch the bloody app.

What Actually Landed

On 14 May 2026, Microsoft published CVE-2026-41615 in its Security Update Guide. The Authenticator app on Android (any version below 6.2605.2973) and iOS (any version below 6.8.47) contains a flaw that lets attackers obtain sign-in tokens for users’ work accounts. Microsoft’s own CNA score is CVSS 9.6, critical. NIST has not yet provided its own assessment in the National Vulnerability Database, where the entry is marked “Awaiting Enrichment”. The published vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

If you decode that vector out of acronym soup, the message is straightforward.

The attack works over the network. No physical access needed. The complexity is low, so the attacker does not need a doctorate. No privileges are required to start. User interaction is required, which in this case means the victim has to tap “yes” on what looks like a legitimate sign-in request. The scope is changed, meaning the damage extends beyond the app itself into the identity systems behind it. Confidentiality, integrity, and availability impacts are all rated high.

That is not a paperwork problem. That is a fully formed access compromise that needed nothing more sophisticated than one mistimed tap.

Microsoft has confirmed that no exploit is publicly available, and they are not currently aware of in-the-wild exploitation. That is genuinely useful information. It means the window for clean remediation is open. It does not mean the bug stops mattering.

Why “Information Disclosure” Is the Wrong Label

The Common Weakness Enumeration on this CVE is CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. Technically accurate. Editorially convenient.

Here is what actually happens, in plain English. A user gets a notification that looks like a legitimate sign-in request, because the attacker has crafted something convincing or has already compromised a related session. The user taps to confirm. The Authenticator, instead of just approving a sign-in for the user, can be tricked into emitting a real access token to an attacker-controlled service. The user sees no clear indication of what just got handed over.

A leaked password is information. The user can change it.

A leaked one-time code is information. It expires in 30 seconds and is useless 60 seconds later.

A leaked sign-in token is access. For the lifetime of that token, often an hour or more, an attacker can call APIs as the user, read mail, open SharePoint files, dump Teams chats, browse the OneDrive estate, and pivot into anything else the account can reach. Conditional Access policies may slow them down. Session lifetime limits will eventually catch them. But during that window, they are inside.

This is the same fundamental pattern we saw with the infostealer-driven credential crisis last year: the attacker does not need your password if they can get the artefact your password produces. Calling that “information disclosure” is like calling a stolen Yale key a “lock data exposure event”. Technically true. Morally useless.

The Trust Paradox

For five years, the entire industry has been telling UK small businesses the same thing. Move off SMS. SMS is broken. Install Microsoft Authenticator. It is the safe choice. It is the modern choice. It is the choice that protects you.

That advice was correct, by the way. SMS is genuinely broken. Authenticator-based MFA is genuinely better. But there was a quiet assumption baked into that advice. The assumption was that the app itself was solid. Production grade. Audited to within an inch of its life. The kind of software that simply does not have critical bugs in its core token-handling logic.

CVE-2026-41615 says: not necessarily.

This matters more than the usual “patch your app” cycle because the Authenticator is not an app in the consumer sense. It is identity infrastructure. It sits between every Entra ID-protected service you have and every user who tries to reach those services. When Microsoft Word has a bug, you lose a document. When the Authenticator has a bug, you lose a tenant.

And the hardware it runs on does not belong to you. It belongs to the personal phone of an employee who may or may not have automatic updates enabled, may or may not be enrolled in your MDM, and almost certainly thinks of “the work app” as just another icon next to TikTok.

If you have been running a BYOD policy on the assumption that the Authenticator is a sealed unit that needs no governance, this CVE is your invitation to revisit that assumption.

The “User Interaction Required” Excuse

You will hear vendors and analysts emphasise the UI:R flag in the CVSS vector. User interaction is required. The implication is that this somehow softens the impact, because users will not fall for it.

In 2026, users will fall for it. They will fall for it in the morning before coffee. They will fall for it on the train. They will fall for it because the request is timed to arrive when they are already signing into Outlook. They will fall for it because Microsoft has spent years training them to tap “yes” on Authenticator prompts the moment they appear.

The entire history of cybersecurity research has produced one consistent finding on phishing. Some percentage of users, every time, will click the link, type the password, or tap the prompt. If you have any doubt about how good well-resourced attackers are at engineering that tap, go and read about how Iranian threat actors run social engineering at scale and ask yourself whether your Tuesday-morning self would spot the difference.

If the only thing standing between an attacker and your tenant is the user’s judgement at 9 a.m. on a Tuesday, you do not have a control. You have a hope.

What Microsoft Has Not Said

Microsoft has said the app needs updating. They have published the fixed versions. They have confirmed no public exploit yet. All useful.

What Microsoft has not said, and will not say loudly, is the obvious follow-up. If you care about identity security and you have the budget, stop relying solely on push-approval MFA for privileged accounts and move to phishing-resistant authentication. FIDO2 hardware keys. Platform passkeys bound to device hardware. Methods that cannot be tricked into emitting a token to an attacker-controlled endpoint, because the cryptographic challenge-response is bound to the legitimate origin.

Microsoft cannot say this loudly without undermining the product their entire consumer identity strategy leans on. That is not a moral failing on Microsoft’s part. It is just the reality of running a business. But it does mean the conclusion sits in the silence around the advisory rather than in the advisory itself.

If you want the full story, you have to read between the lines.

How to Turn This Into a Competitive Advantage

For UK SMEs, and for the MSPs that serve them, this story is an opportunity rather than just a fire drill.

Speed of response demonstrates operational maturity. When a critical vulnerability lands in identity infrastructure, the gap between competent shops and amateur ones widens immediately. The competent ones push a forced update through their MDM tooling within hours, sweep their tenants for token revocation, and email clients with a one-paragraph plain-English summary. The amateur ones discover the vulnerability three weeks later when a customer asks them about it. Be the first kind of shop and tell your clients about it.

Phishing-resistant authentication becomes an upsell that writes itself. If you have been trying to convince a client to move their privileged accounts to FIDO2 keys, CVE-2026-41615 is now the slide that closes the conversation. You no longer have to construct a hypothetical. The hypothetical just happened, in the app you have been telling them is the safe option.

Token-aware monitoring becomes a real product, not a buzzword. Most SMEs run no monitoring on token activity. They monitor sign-in events. After this CVE, “what tokens were issued, to which services, in which sessions” is a legitimate question to ask, and a legitimate offering to build.

Making the Business Case to Your Board

Three talking points for the budget conversation, sized for a non-technical audience.

  1. The MFA app is now a documented attack surface. Not theoretical. CVSS 9.6 critical, published by Microsoft, fixed in last week’s app updates. Continuing to rely solely on push-approval MFA for high-privilege accounts is a board-level decision now, not an IT preference.

  2. Token compromise costs more to clean up than password compromise. Resetting a password takes a minute. Cleaning up after a leaked token requires session revocation, conditional access review, and forensic checking of every API call the token might have made. The cleanup cost is at least an order of magnitude higher. Investing now in phishing-resistant authentication reduces that future cleanup liability.

  3. Conditional Access is the difference between an incident and a breach. Tight sign-in frequency policies, device compliance checks, and risk-based session controls turn a stolen token from a multi-day pivot opportunity into a 15-minute nuisance. These features are already in Microsoft 365 Business Premium. Many UK SMEs are paying for them and not using them.

What to Do This Week

Five things, in order.

  1. Verify the patched version on every device that holds work credentials. Android needs Microsoft Authenticator 6.2605.2973 or later. iOS needs 6.8.47 or later. The app shows its current version under Help, then About, then Application version. Check unmanaged devices as well as managed ones.

  2. Push the update through MDM if you run one. Intune, Workspace ONE, Jamf, whatever. Do not rely on individual users having auto-update enabled. Force the install.

  3. Revoke sessions for high-privilege accounts as a precaution. In Entra ID, this is one click per user. Yes, it is annoying for the user. It is less annoying than explaining to an insurer why you knew about the bug and did nothing.

  4. Review Conditional Access policies. Sign-in frequency, session lifetime, and device compliance requirements should all be tight on privileged roles. If your global administrators are using long-lived session tokens, that is a separate problem, and now is a good time to fix it.

  5. Start the FIDO2 conversation, even if you cannot deploy this quarter. Get the budget item onto next quarter’s plan. Use this CVE as the supporting evidence. Nobody is going to argue that a critical bug in the MFA app is not a relevant data point.

The Honest Conclusion

The Microsoft Authenticator is still better than SMS. That is the boring, unsatisfying truth. CVE-2026-41615 does not make push-approval MFA worthless. It makes it a control with a known failure mode, like every other control we use.

But anyone telling you this is a “just patch and move on” story has not read the CVSS vector and has not thought about what a leaked session token actually does in a modern cloud tenant. The label is “information disclosure”. The reality is an MFA bypass that needs nothing more than one tap from a tired user.

Patch the app. Revoke the sessions. Have the FIDO2 conversation. And the next time anyone tells you their MFA strategy is “we have the Authenticator, we are fine”, point them at the CVE.

Sources

SourceArticle
Microsoft Security Response CenterCVE-2026-41615 Microsoft Authenticator Information Disclosure Vulnerability
NIST National Vulnerability DatabaseCVE-2026-41615 Detail (Awaiting Enrichment)
MITRECWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Heise onlineMicrosoft Authenticator: Critical vulnerability allows token theft
NCSCMulti-factor authentication for online services
Microsoft LearnWhat is Conditional Access in Microsoft Entra ID
FIDO AllianceFIDO2: Moving the World Beyond Passwords
APKMirrorMicrosoft Authenticator 6.2605.2973 release

Filed under

  • smb-security
  • uk-business
  • credential-theft
  • social-engineering
  • vendor-risk
  • supply-chain-risk