CVE-2026-23518
📋 TL;DR
This vulnerability in Fleet's Windows MDM enrollment flow allows attackers to bypass authentication by submitting forged JWT tokens that aren't properly validated. This enables unauthorized device enrollment under arbitrary Azure AD user identities. All Fleet users with Windows MDM enabled are affected.
💻 Affected Systems
- Fleet
📦 What is this software?
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
⚠️ Risk & Real-World Impact
Worst Case
Attackers enroll unauthorized devices into the Fleet management system with administrative privileges, gaining persistent access to managed environments and potentially compromising all managed devices.
Likely Case
Attackers enroll unauthorized devices to gain access to corporate resources, exfiltrate data, or establish persistence in the network.
If Mitigated
With proper network segmentation and monitoring, unauthorized enrollments can be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires knowledge of the Fleet instance's Windows MDM endpoint but no authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3
Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v
Restart Required: Yes
Instructions:
1. Backup your Fleet configuration and database. 2. Stop Fleet service. 3. Upgrade to patched version using your deployment method (Docker, package manager, etc.). 4. Restart Fleet service. 5. Verify JWT signature validation is working.
🔧 Temporary Workarounds
Disable Windows MDM enrollment
allTemporarily disable Windows MDM enrollment to prevent exploitation while planning upgrade
fleetctl config set --mdm.enabled false
systemctl restart fleet
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Fleet's Windows MDM enrollment endpoint
- Enable detailed logging for all enrollment attempts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Fleet version with 'fleetctl version' and verify it's not one of the vulnerable versions listedCheck Version:
fleetctl versionVerify Fix Applied:
After upgrade, test Windows MDM enrollment with valid JWT tokens and verify invalid signatures are rejected📡 Detection & Monitoring
Log Indicators:
- Failed JWT validation attempts
- Unusual Windows device enrollment patterns
- Enrollment attempts from unexpected IP addresses
Network Indicators:
- HTTP POST requests to /api/v1/fleet/mdm/windows/enroll with malformed JWT tokens
SIEM Query:
source="fleet" AND (event="mdm_enrollment" OR event="jwt_validation") AND status="failed"