CVE-2026-23999 Overview
Fleet is open source device management software that enables organizations to manage and secure their device fleet. A vulnerability has been identified in versions prior to 4.80.1 where device lock and wipe PINs were generated using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.
Fleet's device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.
Critical Impact
Attackers with physical access to a locked device and knowledge of the approximate lock time could potentially predict the device unlock PIN, bypassing the device lock security control.
Affected Products
- Fleet Device Management Software versions prior to 4.80.1
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-23999 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-23999
Vulnerability Analysis
This vulnerability represents a classic case of Insecure Random Number Generation (CWE-330) in a security-critical context. The PIN generation mechanism used a weak source of entropy—specifically, using only the Unix timestamp as the seed for PIN generation. This creates a predictable output that can be reproduced by an attacker who knows or can estimate when the lock command was issued.
The vulnerability requires physical access to exploit, which significantly limits the attack surface. Additionally, several mitigating factors constrain successful exploitation: operating system rate limiting on PIN entry attempts, the need to know the approximate lock time, and the fact that device wipe operations would typically complete before sufficient attempts could be made.
Root Cause
The root cause of this vulnerability is the use of insufficient entropy in the PIN generation algorithm. The implementation relied solely on the current Unix timestamp to derive the 6-digit PIN, without incorporating any cryptographically secure random values or secret keys. This deterministic approach allows anyone who can estimate the lock time to potentially calculate the same PIN that was generated.
Attack Vector
The attack vector requires physical access to the target device. An attacker would need to:
- Obtain physical possession of a locked Fleet-managed device
- Determine or estimate the approximate time when the device lock command was issued
- Calculate potential PINs based on timestamps within the estimated time window
- Attempt PIN entries while navigating OS-level rate limiting
The physical access requirement and rate limiting constraints significantly increase the difficulty of successful exploitation. This is not remotely exploitable and does not allow fleet-wide compromise or bypass of Fleet authentication controls.
Detection Methods for CVE-2026-23999
Indicators of Compromise
- Unusual patterns of failed PIN entry attempts on locked devices
- Evidence of physical tampering with Fleet-managed devices
- Unexpected device unlock events without corresponding administrator actions in Fleet logs
Detection Strategies
- Review Fleet server logs for device lock commands and correlate with device unlock events
- Monitor for automated or scripted PIN entry attempts through device-level logging
- Audit physical access logs to identify unauthorized access to locked devices
- Enable enhanced device logging to capture PIN entry attempt patterns
Monitoring Recommendations
- Implement alerting for multiple failed PIN entry attempts on locked devices
- Track device lock/unlock events in centralized logging systems
- Monitor for correlation between device lock timestamps and unauthorized physical access attempts
- Review Fleet audit logs regularly for anomalous device management activities
How to Mitigate CVE-2026-23999
Immediate Actions Required
- Upgrade Fleet to version 4.80.1 or later immediately
- Audit recently locked devices and consider re-issuing lock commands after upgrading
- Review physical security controls for managed devices
- Monitor for any suspicious PIN entry attempts on locked devices
Patch Information
Fleet has released version 4.80.1 which addresses this vulnerability by implementing a more secure PIN generation mechanism with proper cryptographic entropy. Organizations should upgrade to this version or later. For additional details, refer to the GitHub Security Advisory.
Workarounds
- No known workarounds are available for this vulnerability
- Upgrading to version 4.80.1 is the only remediation option
- Implement strong physical security controls to limit unauthorized access to locked devices
- Consider using additional device security measures beyond Fleet's lock functionality until patching is complete
# Upgrade Fleet to patched version
# Using Helm:
helm upgrade fleet fleetdm/fleet --version 4.80.1
# Verify current Fleet version
fleetctl version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
