📄 Description (English)
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
🤖 AI Executive Summary
CVE-2026-29180 is a critical broken access control vulnerability in Fleet device management software (versions prior to 4.81.1) that allows team maintainers to illegally transfer hosts between teams, bypassing isolation controls. Attackers gaining access to transferred hosts can execute arbitrary scripts with root privileges, potentially compromising entire device fleets. This vulnerability poses significant risk to Saudi organizations managing large-scale device deployments across multiple teams or departments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 01:05
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi government agencies (NCA, NCSC), telecommunications sector (STC, Mobily), banking institutions under SAMA oversight, and energy sector (ARAMCO, SEC). Organizations using Fleet for endpoint management across multiple departments face critical risk of unauthorized host access and lateral movement. Government entities managing classified or sensitive infrastructure through Fleet deployments are particularly vulnerable to insider threats and privilege escalation attacks.
🏢 Affected Saudi Sectors
Government and Public Administration
Telecommunications
Banking and Financial Services
Energy and Utilities
Healthcare
Defense and Security
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (team maintainer account abuse)
T1548 - Abuse Elevation Control Mechanism (privilege escalation to root)
T1537 - Transfer Data to Cloud Account (lateral movement between teams)
T1059 - Command and Scripting Interpreter (root script execution)
T1087 - Account Discovery (identifying team structures)
T1136 - Create Account (potential persistence mechanisms)
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Fleet instances in your environment and document current version numbers
2. Restrict team maintainer privileges immediately — audit all team maintainer accounts for suspicious host transfers
3. Review audit logs for unauthorized host transfers between teams, particularly to maintainer-owned teams
4. Isolate any hosts that show evidence of unauthorized transfer or script execution
PATCHING GUIDANCE:
1. Upgrade Fleet to version 4.81.1 or later immediately
2. Test patches in non-production environment first
3. Implement staged rollout to minimize operational disruption
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement network segmentation to limit lateral movement from compromised hosts
2. Enforce multi-factor authentication for all team maintainer accounts
3. Deploy host-based intrusion detection to monitor for unauthorized script execution
4. Implement strict RBAC — remove unnecessary team maintainer privileges
5. Enable comprehensive audit logging for all host transfer operations
DETECTION RULES:
1. Monitor API calls to host transfer endpoints for requests from non-authorized users
2. Alert on any host transfers that cross team boundaries
3. Track script execution with root privileges on transferred hosts
4. Monitor for bulk host transfer operations within short timeframes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Fleet في بيئتك وقم بتوثيق أرقام الإصدارات الحالية
2. قيد امتيازات مسؤول الفريق على الفور - قم بتدقيق جميع حسابات مسؤول الفريق للتحويلات المريبة للأجهزة
3. راجع سجلات التدقيق للتحويلات غير المصرح بها للأجهزة بين الفرق، خاصة إلى الفرق المملوكة لمسؤول الفريق
4. عزل أي أجهزة تظهر دليلاً على نقل غير مصرح به أو تنفيذ نصوص برمجية
إرشادات التصحيح:
1. قم بترقية Fleet إلى الإصدار 4.81.1 أو أحدث على الفور
2. اختبر التصحيحات في بيئة غير الإنتاج أولاً
3. تنفيذ التطبيق المرحلي لتقليل الاضطراب التشغيلي
عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من الأجهزة المخترقة
2. فرض المصادقة متعددة العوامل لجميع حسابات مسؤول الفريق
3. نشر كشف الاختراق على مستوى المضيف لمراقبة تنفيذ النصوص البرمجية غير المصرح بها
4. تنفيذ RBAC صارم - إزالة امتيازات مسؤول الفريق غير الضرورية
5. تفعيل تسجيل التدقيق الشامل لجميع عمليات نقل الأجهزة
قواعد الكشف:
1. مراقبة استدعاءات API لنقاط نهاية نقل الأجهزة للطلبات من المستخدمين غير المصرح لهم
2. تنبيه على أي تحويلات أجهزة تعبر حدود الفريق
3. تتبع تنفيذ النصوص البرمجية بامتيازات جذر على الأجهزة المنقولة
4. مراقبة عمليات نقل الأجهزة الضخمة في فترات زمنية قصيرة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1 - Access Control Policies (broken access control violates team isolation)
ECC 2024 A.5.2 - User Registration and Access Rights Management (privilege escalation)
ECC 2024 A.5.3 - User Access Review (unauthorized host transfers)
ECC 2024 A.8.1 - Audit Logging (insufficient controls on sensitive operations)
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy (team isolation bypass)
SAMA CSF ID.AC-2 - Physical and Logical Access Controls (broken authorization)
SAMA CSF DE.AE-1 - Audit Logging (detection of unauthorized transfers)
SAMA CSF PR.AC-1 - Identity and Access Management (privilege escalation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management (broken access control)
ISO 27001:2022 A.5.3 - Access Rights Review (unauthorized privilege escalation)
ISO 27001:2022 A.8.2 - User Responsibility (audit logging of sensitive operations)
ISO 27001:2022 A.8.3 - Password Management (team isolation controls)
📦 Affected Products / CPE 1 entries
fleetdm:fleet