Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data.
Impact
Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted.
As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles.
This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device.
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
For more information
If you have any questions or comments about this advisory:
Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack
Credits
We thank @secfox-ai for responsibly reporting this issue.
AnalysisAI
Client certificate validation bypass in Fleet's Windows MDM management endpoint allows remote attackers to impersonate enrolled devices and exfiltrate sensitive configuration data. With high attack complexity (CVSS:4.0 AV:N/AC:H), attackers possessing a valid device identifier can retrieve MDM payloads containing Wi-Fi credentials, VPN configurations, certificates, and other secrets. Vendor-released patch (Fleet v4.81.0) available. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 8.2 severity reflects potential for credential theft and lateral movement.
Technical ContextAI
This vulnerability affects Fleet's Windows Mobile Device Management (MDM) endpoint implementation, specifically the mutual TLS (mTLS) authentication mechanism defined in the Microsoft MDM protocol (MS-MDM). The root cause is CWE-295 (Improper Certificate Validation), where the endpoint fails to enforce client certificate presentation during TLS handshake. Fleet v4 (pkg:go/github.com/fleetdm/fleet/v4) uses Go-based TLS libraries to authenticate Windows devices enrolled via MDM. Proper mTLS requires both server and client certificates for bidirectional authentication; the flaw allows requests without client certificates to bypass this critical security control. The vulnerability exists in the HTTP request handling layer before reaching the device identity verification logic, enabling certificate-less requests to be processed as trusted connections from enrolled devices.
RemediationAI
Upgrade to Fleet v4.81.0 or later, released February 20, 2026, which implements proper client certificate validation on the Windows MDM management endpoint (confirmed in release notes at https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0 and advisory https://github.com/fleetdm/fleet/security/advisories/GHSA-2rc4-7jc6-qffh). If immediate upgrade is not feasible, temporarily disable Windows MDM functionality in Fleet configuration to eliminate the attack surface-this workaround prevents new MDM profile deployments and device check-ins but protects against exploitation. Trade-off: disabling Windows MDM suspends policy enforcement and configuration management for Windows endpoints until patch deployment. For partial mitigation while maintaining MDM functionality, implement network-level restrictions limiting access to Fleet's Windows MDM endpoint to known enrolled device IP ranges or VPN segments, though this provides defense-in-depth rather than complete protection. Review MDM profile contents and temporarily remove high-value secrets (Wi-Fi PSKs, VPN credentials, certificates) until patching is complete. Post-upgrade, audit MDM access logs for suspicious device impersonation attempts (look for device identifier reuse from unexpected source IPs) and rotate any credentials that may have been exposed in MDM profiles during the vulnerability window.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30368
GHSA-2rc4-7jc6-qffh