HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Deep‑Link Flaw in Microsoft Authenticator (CVE‑2026‑26123) Enables Credential Hijacking

A researcher disclosed CVE‑2026‑26123, a deep‑link handling vulnerability in Microsoft Authenticator for iOS and Android that can allow a malicious app on the same device to intercept or reuse MFA codes. The flaw threatens any organization relying on the app for multi‑factor authentication, prompting an urgent patch from Microsoft.

LiveThreat™ Intelligence · 📅 March 26, 2026· 📰 malwarebytes.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
malwarebytes.com

Critical Deep‑Link Flaw in Microsoft Authenticator (CVE‑2026‑26123) Enables Credential Hijacking

What Happened — A security researcher disclosed CVE‑2026‑26123, a deep‑link handling vulnerability in Microsoft Authenticator for iOS and Android. The flaw allows a malicious app on the same device to intercept sign‑in codes or QR‑code flows, potentially leading to full account takeover. Microsoft has issued a patch and updated the app.

Why It Matters for TPRM

  • MFA‑based authentication is a core control for many third‑party relationships; a bypass undermines that control.
  • The vulnerability affects any organization that relies on Microsoft Authenticator for employee or partner access.
  • Exploitation does not require network access, making it hard to detect with traditional perimeter defenses.

Who Is Affected — Enterprises across all sectors using Microsoft Authenticator for multi‑factor authentication, especially those with mobile‑first workforces.

Recommended Actions

  • Verify that all Microsoft Authenticator installations are updated to the latest version.
  • Review MFA policies to ensure alternative factors (e.g., hardware tokens) are available.
  • Conduct a short‑term audit of mobile device management (MDM) policies to restrict inter‑app communication.

Technical Notes — The issue stems from improper validation of deep‑link intents, allowing a malicious app to capture or replay MFA codes. No CVE‑specific exploit code was publicly released at the time of reporting. Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/bugs/2026/03/meet-khaled-mohamed-the-bug-hunter-who-found-a-microsoft-flaw

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →