Fleet Windows MDM Management Endpoint Authentication Bypass Vulnerability
CVE-2026-23998 describes a vulnerability in Fleet's Windows MDM management endpoint that allows requests to be processed without proper client certificate validation, potentially allowing an attacker to impersonate a device and retrieve sensitive configuration data.
Fleet’s Windows MDM management endpoint is vulnerable to an authentication bypass (CVE-2026-23998) due to improper client certificate validation. Specifically, requests to the MDM endpoint could be processed even without a valid client certificate. An attacker with prior knowledge of a valid enrolled device identifier could exploit this vulnerability to impersonate that device. Successful exploitation could allow the attacker to receive sensitive configuration payloads intended for the targeted device. This vulnerability affects Fleet versions prior to 4.81.0. It’s important for defenders to identify and mitigate this risk to protect sensitive device configurations and data.
Attack Chain
- Attacker identifies a target Windows device enrolled in Fleet MDM and obtains its device identifier.
- Attacker crafts a malicious HTTP request to the Fleet Windows MDM management endpoint.
- The malicious request is sent without a valid client certificate.
- Due to the vulnerability, the Fleet server incorrectly processes the request as if it were authenticated.
- The Fleet server retrieves the configuration payload associated with the target device identifier.
- The configuration payload, potentially containing sensitive information (Wi-Fi passwords, VPN configurations, certificates), is sent to the attacker.
- Attacker gains unauthorized access to sensitive configuration data of the targeted Windows device.
Impact
Successful exploitation of CVE-2026-23998 allows an attacker to retrieve sensitive configuration data intended for a specific Windows device managed by Fleet MDM. This could include Wi-Fi passwords, VPN configurations, certificates, and other secrets delivered through MDM profiles. The vulnerability does not allow the attacker to enroll new devices, gain administrative access to Fleet, or compromise the Fleet control plane. The impact is limited to the targeted Windows device, but exfiltration of sensitive information from that device could lead to broader network compromise.
Recommendation
- Upgrade Fleet to version 4.81.0 or later to patch CVE-2026-23998 (reference: Affected Packages).
- If an immediate upgrade is not possible, temporarily disable Windows MDM (reference: Workarounds).
- Monitor webserver logs for requests to the MDM endpoint lacking client certificates, using the provided Sigma rules (reference: rules).
Detection coverage 2
Detect CVE-2026-23998 Exploitation Attempt — Missing Client Certificate
highDetects CVE-2026-23998 exploitation attempt — HTTP request to Windows MDM endpoint without client certificate indicating potential authentication bypass.
Detect CVE-2026-23998 Potential Exploitation — High Volume of Requests to MDM Endpoint from Single Source Without Client Certificates
mediumDetects CVE-2026-23998 potential exploitation — High volume of requests to Windows MDM endpoint from a single source without client certificate indicating potential brute force attempt or automated exploitation.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
| Type | Value |
|---|---|
| security@fleetdm.com |