Secfox-Ai

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** A flaw in the Windows MDM management endpoint allows requests to be processed without proper client certificate validation. The endpoint relies on mutual TLS (mTLS)—a process where both the client and server authenticate each other via certificates—to authenticate enrolled devices. In affected versions, requests lacking a client certificate may be incorrectly treated as trusted. An attacker with knowledge of a valid enrolled device identifier could impersonate that device to retrieve sensitive configuration payloads, such as VPN or Wi-Fi configuration data, certificates, or other secrets delivered through MDM profiles. This issue is limited to the targeted Windows device and does not grant administrative access to the control plane or allow the enrollment of new devices. **Recommendations** Update to version 4.81.0. As a temporary workaround, disable Windows MDM.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** A flaw in the software installer pipeline allows a crafted software package to execute arbitrary commands as root on macOS and Linux, or as SYSTEM on Windows, when an uninstall is triggered. When packages such as .pkg, .deb, .rpm, .exe, or .msi are uploaded, metadata is extracted from the binary to generate uninstall scripts. This metadata is not properly sanitized, meaning a package with malicious values in its metadata fields can lead to unintended command execution on managed endpoints. **Recommendations** Update to version 4.81.0. Avoid uploading software packages from untrusted or unverified sources. Manually inspect and edit auto-generated uninstall scripts before deployment.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.1 **Description** Fleet is open source device management software. A broken access control vulnerability exists in the host transfer API. A team maintainer can transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. The host transfer endpoints verify write permission to the destination team but do not check permission over the source team. A bulk transfer variant allows stealing all matching hosts fleet-wide in a single request. Exploitation requires authentication as a team maintainer or team admin. **Recommendations** Versions prior to 4.81.1 should be upgraded. Organizations concerned about exploitation should audit host transfer activity in Fleet logs for any unexpected team reassignments.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet generates device lock and wipe PINs using a predictable algorithm based on the current Unix timestamp in affected versions. The PIN could potentially be derived if the approximate time the device was locked is known, as no secret key or additional entropy is used. An attacker with physical access to a locked device and knowledge of the approximate lock time could theoretically predict the correct PIN within a limited search window. Successful exploitation requires physical access to the device, knowledge of the approximate lock time, and is constrained by operating system rate limiting on PIN entry attempts. This issue does not allow remote exploitation or bypass of Fleet authentication controls. **Recommendations** Versions prior to 4.80.1 should be updated to version 4.80.1 or later.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. The software returns configuration data through an API endpoint, accessible to authenticated users, including those with the “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned, allowing a low-privilege user to retrieve the service account’s private key material. This could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. The issue does not allow escalation of privileges within Fleet or access to device management functionality. The vulnerable API endpoint exposes the credentials. **Recommendations** Upgrade to version 4.80.1 or later. If an immediate upgrade is not possible, remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet is open source device management software. A flaw in the Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. An attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. The impact is limited to disruption of Android device management for the affected device. **Recommendations** Versions prior to 4.80.1 should be upgraded to version 4.80.1. As a temporary workaround, consider disabling Android MDM if an immediate upgrade is not possible.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet’s certificate template deletion API had a broken authorization check. This allowed a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. The issue stemmed from a validation flaw in the batch deletion endpoint, where the system used a user-supplied team identifier without verifying if the certificate template IDs being deleted actually belonged to that team. This could disrupt certificate-based workflows, including device enrollment, Wi-Fi authentication, VPN access, and other certificate-dependent configurations. The impact is limited to the integrity and availability of certificate templates across teams. **Recommendations** Upgrade to Fleet version 4.80.1 or later. Restrict access to certificate template management to trusted users. Avoid delegating team administrator permissions where not strictly required.