CVE-2026-23999

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1

Description Fleet generates device lock and wipe PINs using a predictable algorithm based on the current Unix timestamp in affected versions. The PIN could potentially be derived if the approximate time the device was locked is known, as no secret key or additional entropy is used. An attacker with physical access to a locked device and knowledge of the approximate lock time could theoretically predict the correct PIN within a limited search window. Successful exploitation requires physical access to the device, knowledge of the approximate lock time, and is constrained by operating system rate limiting on PIN entry attempts. This issue does not allow remote exploitation or bypass of Fleet authentication controls.

Recommendations Versions prior to 4.80.1 should be updated to version 4.80.1 or later.