https://feed.craftedsignal.io/vendors/fleetdm/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 13:18:43 +0000https://feed.craftedsignal.io/briefs/2026-05-fleet-grpc-dos/Thu, 14 May 2026 13:18:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-fleet-grpc-dos/Fleet server versions prior to 4.81.0 are vulnerable to a denial-of-service (DoS) via the gRPC Launcher `PublishLogs` endpoint, where unexpected input values can cause the server process to terminate upon receiving a crafted request from an authenticated Launcher host.Fleet server versions before 4.81.0 contain a denial-of-service vulnerability affecting the gRPC Launcher’s PublishLogs endpoint. This flaw allows an authenticated attacker, possessing a valid Launcher node key, to send a specially crafted gRPC request that the Fleet server fails to handle gracefully. The unexpected input within this request triggers a condition leading to the immediate termination of the Fleet server process, causing a complete denial of service. The vulnerability, assigned CVE-2026-26062, stems from inadequate input validation on the PublishLogs endpoint. Successful exploitation requires a valid Launcher node key, limiting the attack surface to compromised or malicious Launcher hosts enrolled within the Fleet management infrastructure.

Attack Chain

1. Attacker gains access to a valid Launcher node key, either through compromise of a Launcher host or insider threat.
2. Attacker crafts a malicious gRPC request specifically targeting the PublishLogs endpoint of the Fleet server.
3. The malicious gRPC request contains unexpected or malformed input designed to trigger the vulnerability.
4. Attacker authenticates to the Fleet server using the compromised Launcher node key.
5. Attacker sends the crafted gRPC request to the PublishLogs endpoint.
6. The Fleet server receives the malicious request and attempts to process the malformed input.
7. Due to inadequate input validation, the server encounters an unhandled exception or error condition.
8. The unhandled exception causes the Fleet server process to terminate unexpectedly, resulting in a denial of service.

Impact

Successful exploitation of this vulnerability results in an immediate and complete denial of service, impacting the availability of Fleet server. This could disrupt endpoint monitoring, policy enforcement, and other critical security functions dependent on the Fleet platform. Although there is no exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact, the disruption to operations can be significant, especially in environments relying heavily on Fleet for endpoint management and security visibility. The number of affected organizations depends on the prevalence of Fleet deployments and the attacker’s ability to compromise Launcher node keys.

Recommendation

• Upgrade Fleet server to version 4.81.0 or later to remediate the vulnerability (CVE-2026-26062).
• Restrict network access to the Fleet gRPC endpoint (where feasible) to limit potential attack surfaces, as described in the advisory.
• Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required, mitigating the impact of malicious requests.
• Monitor for repeated Fleet process crashes or unexpected restarts, indicating potential exploitation attempts, as suggested in the advisory.
• Implement the Sigma rule “Detect Fleet Server Crashes” to identify potential exploitation attempts based on server crash events.

]]>highadvisorydenial-of-servicegrpcfleetgithub advisoryhttps://feed.craftedsignal.io/briefs/2026-05-fleet-mdm-bypass/Thu, 14 May 2026 13:15:45 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-fleet-mdm-bypass/CVE-2026-23998 describes a vulnerability in Fleet's Windows MDM management endpoint that allows requests to be processed without proper client certificate validation, potentially allowing an attacker to impersonate a device and retrieve sensitive configuration data.Fleet’s Windows MDM management endpoint is vulnerable to an authentication bypass (CVE-2026-23998) due to improper client certificate validation. Specifically, requests to the MDM endpoint could be processed even without a valid client certificate. An attacker with prior knowledge of a valid enrolled device identifier could exploit this vulnerability to impersonate that device. Successful exploitation could allow the attacker to receive sensitive configuration payloads intended for the targeted device. This vulnerability affects Fleet versions prior to 4.81.0. It’s important for defenders to identify and mitigate this risk to protect sensitive device configurations and data.

Attack Chain

1. Attacker identifies a target Windows device enrolled in Fleet MDM and obtains its device identifier.
2. Attacker crafts a malicious HTTP request to the Fleet Windows MDM management endpoint.
3. The malicious request is sent without a valid client certificate.
4. Due to the vulnerability, the Fleet server incorrectly processes the request as if it were authenticated.
5. The Fleet server retrieves the configuration payload associated with the target device identifier.
6. The configuration payload, potentially containing sensitive information (Wi-Fi passwords, VPN configurations, certificates), is sent to the attacker.
7. Attacker gains unauthorized access to sensitive configuration data of the targeted Windows device.

Impact

Successful exploitation of CVE-2026-23998 allows an attacker to retrieve sensitive configuration data intended for a specific Windows device managed by Fleet MDM. This could include Wi-Fi passwords, VPN configurations, certificates, and other secrets delivered through MDM profiles. The vulnerability does not allow the attacker to enroll new devices, gain administrative access to Fleet, or compromise the Fleet control plane. The impact is limited to the targeted Windows device, but exfiltration of sensitive information from that device could lead to broader network compromise.

Recommendation

• Upgrade Fleet to version 4.81.0 or later to patch CVE-2026-23998 (reference: Affected Packages).
• If an immediate upgrade is not possible, temporarily disable Windows MDM (reference: Workarounds).
• Monitor webserver logs for requests to the MDM endpoint lacking client certificates, using the provided Sigma rules (reference: rules).

]]>highthreatauthentication-bypasscredential-accessmdmhttps://feed.craftedsignal.io/briefs/2026-05-fleet-jwt-bypass/Thu, 14 May 2026 13:15:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-fleet-jwt-bypass/A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.A critical vulnerability exists in Fleet versions prior to 4.82.0, specifically affecting the Windows MDM enrollment flow. This flaw stems from insufficient validation of JWT signatures during the Azure AD authentication process. Fleet’s implementation utilizes Microsoft’s multi-tenant JWKS endpoint for signature verification but neglects to enforce the aud (audience) and iss (issuer) claims within the JWT. This oversight permits the acceptance of authentication tokens originating from any Azure AD tenant, as long as they are signed by Microsoft and contain the expected scopes. Successful exploitation allows attackers to bypass intended authorization controls, enabling them to enroll unauthorized devices and interact with Fleet’s MDM management APIs, potentially exposing enrollment secrets.

Attack Chain

1. Attacker gains access to any Azure AD tenant, potentially through compromised credentials or a rogue application registration.
2. The attacker requests an Azure AD access token with the necessary scopes for Fleet MDM enrollment.
3. The attacker initiates the Windows MDM enrollment process, presenting the crafted Azure AD access token to the Fleet MDM endpoint.
4. Fleet validates the JWT signature against Microsoft’s JWKS endpoint but skips validation of the aud and iss claims.
5. The unauthorized access token is accepted by Fleet, granting the attacker the ability to enroll a device under a different Azure AD tenant.
6. The attacker leverages enrolled devices to interact with Fleet’s MDM management APIs.
7. Sensitive enrollment secrets embedded in MDM command payloads are exposed to the attacker.
8. The attacker uses exposed secrets for further unauthorized access or lateral movement within the environment.

Impact

Successful exploitation of CVE-2026-24899 can lead to unauthorized device enrollment, potentially giving attackers control over managed Windows systems. Fleet may expose sensitive enrollment secrets, facilitating further unauthorized access. This vulnerability has the potential to affect any organization using Fleet with Windows MDM enabled, leading to data breaches and compromised systems.

Recommendation

• Immediately upgrade Fleet to version 4.82.0 or later to address the vulnerability (reference: Affected Packages).
• As an immediate workaround, disable Windows MDM in Fleet if an upgrade is not possible (reference: Workarounds).
• Monitor Fleet logs for suspicious device enrollment activities originating from unexpected Azure AD tenants (requires specific logging not detailed in source).
• Investigate any unauthorized device enrollments identified within the Fleet management console (requires manual review).

]]>highthreatjwtazureadauthenticationbypassmdmfleetdm