Fleet Windows MDM Management Endpoint Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Fleet's Windows Mobile Device Management (MDM) management endpoint, prior to version 4.81.0. This vulnerability allows requests to be processed without proper validation of client certificates. Consequently, an attacker could impersonate an enrolled Windows device and access sensitive configuration data. The issue arises because the endpoint relies on mutual TLS (mTLS) client certificates for authentication, and in affected versions, requests lacking a client certificate could be mistakenly regarded as trusted. An attacker with knowledge of a valid enrolled device identifier could exploit this to receive configuration payloads intended for that device, potentially including sensitive information such as Wi-Fi or VPN details, certificates, or other secrets delivered through MDM profiles. This vulnerability does not facilitate the enrollment of new devices, grant administrative access to Fleet, or compromise the Fleet control plane, with the impact confined to the targeted Windows device.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive configuration data on the targeted Windows device, including Wi-Fi or VPN information, certificates, and other secrets distributed through MDM profiles.

Remediation

Users of Fleet should upgrade to version 4.81.0 or later. If an immediate upgrade is not possible, Windows MDM can be temporarily disabled.