Vulnerabilities ›

CVE-2026-23999

Medium

CWE-330 — Weakness Type

                    Published: Feb 26, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

5.5

🔗 NVD Official

📄 Description (English)

Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window. However, successful exploitation is constrained by multiple factors: Physical access to the device is required, the approximate lock time must be known, the operating system enforces rate limiting on PIN entry attempts, attempts would need to be spread over, and device wipe operations would typically complete before sufficient attempts could be made. As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls. Version 4.80.1 contains a patch. No known workarounds are available.

🤖 AI Executive Summary

Fleet device management software versions prior to 4.80.1 use predictable algorithms for generating device lock and wipe PINs based solely on Unix timestamps without cryptographic entropy. While this vulnerability requires physical device access and knowledge of approximate lock time, it could allow attackers to derive 6-digit PINs through brute force within a limited window. The practical impact is constrained by OS-level rate limiting and device wipe timeouts, but organizations managing mobile device fleets should prioritize upgrading to version 4.80.1.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 25, 2026 18:33

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations managing mobile device fleets through Fleet—particularly in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and telecommunications companies (STC, Mobily)—face moderate risk. The vulnerability primarily affects device security posture for locked/wiped devices rather than authentication bypass. Impact is highest for organizations with strict BYOD policies or managing sensitive government/financial devices where physical security controls may be weaker. Energy sector (ARAMCO, utilities) managing field devices could also be affected if using Fleet for MDM.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Telecommunications Energy and Utilities Transportation and Logistics

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force (PIN enumeration) T1200 - Hardware Additions (physical device access) T1056 - Input Capture (PIN entry observation) T1040 - Network Sniffing (if PIN transmitted insecurely) T1005 - Data from Local System (device unlock)

⚖️ Saudi Risk Score (AI)

4.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Fleet instances in your environment and document current versions

2. Assess physical security controls around managed devices—prioritize devices in lower-security environments

3. Review device lock/wipe audit logs for suspicious PIN entry attempts

4. Implement additional physical security measures (device tracking, secure storage)



Patching Guidance:

1. Upgrade all Fleet deployments to version 4.80.1 or later immediately

2. Test upgrade in non-production environment first

3. Coordinate with device users to minimize disruption during upgrade

4. Verify PIN generation uses cryptographically secure random functions post-upgrade



Compensating Controls (if upgrade delayed):

1. Enforce strict physical access controls to locked devices

2. Implement device tracking and geofencing to detect unauthorized access attempts

3. Enable enhanced audit logging for all lock/wipe operations with precise timestamps

4. Reduce lock/wipe PIN validity window where possible

5. Implement device-level rate limiting beyond OS defaults if available



Detection Rules:

1. Monitor for multiple failed PIN entry attempts on locked devices within short timeframes

2. Alert on lock commands followed by unlock attempts within 1-2 hours

3. Track devices with lock/wipe operations during off-hours or unusual locations

4. Correlate device lock timestamps with physical access logs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Fleet في بيئتك وقثق الإصدارات الحالية

2. قيّم الضوابط الأمنية الفيزيائية حول الأجهزة المُدارة - أعط الأولوية للأجهزة في البيئات الأقل أماناً

3. راجع سجلات تدقيق قفل/حذف الجهاز للبحث عن محاولات إدخال PIN المريبة

4. تنفيذ تدابير أمان فيزيائي إضافية (تتبع الجهاز، التخزين الآمن)

إرشادات التصحيح:

1. ترقية جميع نشرات Fleet إلى الإصدار 4.80.1 أو أحدث فوراً

2. اختبر الترقية في بيئة غير الإنتاج أولاً

3. تنسيق مع مستخدمي الجهاز لتقليل الاضطراب أثناء الترقية

4. تحقق من أن توليد PIN يستخدم وظائف عشوائية آمنة تشفيرياً بعد الترقية

الضوابط البديلة (إذا تأخرت الترقية):

1. فرض ضوابط وصول فيزيائي صارمة للأجهزة المقفلة

2. تنفيذ تتبع الجهاز والحدود الجغرافية لاكتشاف محاولات الوصول غير المصرح به

3. تفعيل تسجيل التدقيق المحسّن لجميع عمليات القفل/الحذف مع طوابع زمنية دقيقة

4. تقليل نافذة صلاحية PIN للقفل/الحذف حيث أمكن

5. تنفيذ تحديد معدل على مستوى الجهاز يتجاوز الإعدادات الافتراضية إن أمكن

قواعد الكشف:

1. مراقبة محاولات إدخال PIN المتعددة الفاشلة على الأجهزة المقفلة خلال فترات زمنية قصيرة

2. تنبيه على أوامر القفل متبوعة بمحاولات فتح خلال 1-2 ساعة

3. تتبع الأجهزة مع عمليات القفل/الحذف خلال ساعات غير العمل أو مواقع غير عادية

4. ربط طوابع زمنية لقفل الجهاز مع سجلات الوصول الفيزيائي

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Cryptographic controls for sensitive data (device PINs) ECC 2024 A.5.2.1 - Random number generation requirements ECC 2024 A.6.2.1 - Physical security of IT assets ECC 2024 A.8.2.3 - User access management and authentication

🔵 SAMA CSF

SAMA CSF ID.SC-7 - Cryptographic controls and key management SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.PT-2 - Removable media protection SAMA CSF DE.CM-1 - Audit logging and monitoring

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1.4 - Cryptographic controls ISO 27001:2022 A.5.2.1 - Secure development policy ISO 27001:2022 A.6.2.1 - Physical access controls ISO 27001:2022 A.8.2.1 - User registration and access rights

🟣 PCI DSS v4.0.1

PCI DSS 3.4 - Render PAN unreadable (if device contains payment data) PCI DSS 6.2 - Secure development practices PCI DSS 8.2.1 - Strong authentication mechanisms

🔗 References & Sources 1

🔗

https://github.com/fleetdm/fleet/security/advisories/GHSA-ppwx-5jq7-px2w

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

fleetdm:fleet

📊 CVSS Score

5.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.5

CWECWE-330

Exploit No

Patch ✗ No

Published 2026-02-26

Source Feed nvd

🇸🇦 Saudi Risk Score

4.2

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-330

🏢 Vendor Advisories

🔗 https://github.com/fleetdm/fleet/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-23999

Introduce Yourself

Sign In Required