{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fleetdm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fleetdm/fleet/v4","Azure AD"],"_cs_severities":["high"],"_cs_tags":["jwt","azuread","authentication","bypass","mdm","fleetdm"],"_cs_type":"threat","_cs_vendors":["Microsoft","FleetDM"],"content_html":"\u003cp\u003eA critical vulnerability exists in Fleet versions prior to 4.82.0, specifically affecting the Windows MDM enrollment flow. This flaw stems from insufficient validation of JWT signatures during the Azure AD authentication process. Fleet\u0026rsquo;s implementation utilizes Microsoft\u0026rsquo;s multi-tenant JWKS endpoint for signature verification but neglects to enforce the \u003ccode\u003eaud\u003c/code\u003e (audience) and \u003ccode\u003eiss\u003c/code\u003e (issuer) claims within the JWT. This oversight permits the acceptance of authentication tokens originating from any Azure AD tenant, as long as they are signed by Microsoft and contain the expected scopes. Successful exploitation allows attackers to bypass intended authorization controls, enabling them to enroll unauthorized devices and interact with Fleet\u0026rsquo;s MDM management APIs, potentially exposing enrollment secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to any Azure AD tenant, potentially through compromised credentials or a rogue application registration.\u003c/li\u003e\n\u003cli\u003eThe attacker requests an Azure AD access token with the necessary scopes for Fleet MDM enrollment.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the Windows MDM enrollment process, presenting the crafted Azure AD access token to the Fleet MDM endpoint.\u003c/li\u003e\n\u003cli\u003eFleet validates the JWT signature against Microsoft\u0026rsquo;s JWKS endpoint but skips validation of the \u003ccode\u003eaud\u003c/code\u003e and \u003ccode\u003eiss\u003c/code\u003e claims.\u003c/li\u003e\n\u003cli\u003eThe unauthorized access token is accepted by Fleet, granting the attacker the ability to enroll a device under a different Azure AD tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages enrolled devices to interact with Fleet\u0026rsquo;s MDM management APIs.\u003c/li\u003e\n\u003cli\u003eSensitive enrollment secrets embedded in MDM command payloads are exposed to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses exposed secrets for further unauthorized access or lateral movement within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24899 can lead to unauthorized device enrollment, potentially giving attackers control over managed Windows systems. Fleet may expose sensitive enrollment secrets, facilitating further unauthorized access. This vulnerability has the potential to affect any organization using Fleet with Windows MDM enabled, leading to data breaches and compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Fleet to version 4.82.0 or later to address the vulnerability (reference: Affected Packages).\u003c/li\u003e\n\u003cli\u003eAs an immediate workaround, disable Windows MDM in Fleet if an upgrade is not possible (reference: Workarounds).\u003c/li\u003e\n\u003cli\u003eMonitor Fleet logs for suspicious device enrollment activities originating from unexpected Azure AD tenants (requires specific logging not detailed in source).\u003c/li\u003e\n\u003cli\u003eInvestigate any unauthorized device enrollments identified within the Fleet management console (requires manual review).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:15:33Z","date_published":"2026-05-14T13:15:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fleet-jwt-bypass/","summary":"A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.","title":"Fleet Windows MDM Azure AD JWT Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-fleet-jwt-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Fleetdm","version":"https://jsonfeed.org/version/1.1"}