PT-2026-40969 · Fleet · Fleet
Arthurgervais
+1
·
Published
2026-05-14
·
Updated
2026-06-25
·
CVE-2026-24899
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Fleet versions prior to 4.82.0
Description
A flaw in the Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. The software validates JWT (JSON Web Token) signatures using Microsoft's multi-tenant JWKS endpoint but fails to enforce the
aud (audience) or iss (issuer) claims. Consequently, any Microsoft-signed Azure AD access token with the required scopes can authenticate to MDM endpoints. An attacker with access to any Azure AD tenant can use a valid token to enroll unauthorized devices and interact with MDM management APIs. Additionally, sensitive enrollment secrets embedded in MDM command payloads may be exposed during device management, potentially leading to further unauthorized access.Recommendations
Update to version 4.82.0.
As a temporary workaround, disable Windows MDM.
Exploit
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fleet