Fleet is an open source device management platform widely used for managing endpoints across organizations. CVE-2026-23518 is a critical vulnerability identified in Fleet's Windows Mobile Device Management (MDM) enrollment process. The root cause is improper verification of cryptographic signatures on JSON Web Tokens (JWTs) used during authentication. Specifically, Fleet versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fail to validate JWT signatures correctly, allowing attackers to craft forged tokens containing arbitrary identity claims. This flaw enables an attacker to enroll unauthorized devices under any Azure Active Directory (Azure AD) user identity without requiring authentication or user interaction. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and has a CVSS 4.0 score of 9.3, reflecting its critical severity. Exploitation could lead to unauthorized device enrollment, potentially granting attackers persistent footholds within enterprise environments, unauthorized access to sensitive data, and the ability to bypass endpoint security controls. Although no public exploits are currently known, the ease of exploitation (no privileges or user interaction required) and the broad scope of affected versions make this a high-risk issue. The vendor has released patched versions addressing the flaw. If immediate patching is not feasible, disabling Windows MDM enrollment is recommended as a temporary mitigation.

For European organizations, this vulnerability poses a significant threat to endpoint security and identity integrity. Unauthorized device enrollment under arbitrary Azure AD identities can lead to multiple attack vectors including data exfiltration, lateral movement, and persistent access within corporate networks. Organizations relying on Fleet for device management and integrating with Azure AD are particularly vulnerable. Compromise of device enrollment processes undermines trust in endpoint security posture and can facilitate insider-like attacks by masquerading as legitimate users. This can impact confidentiality by exposing sensitive data, integrity by allowing unauthorized changes to device configurations, and availability if malicious devices disrupt operations. The critical severity and ease of exploitation mean that attackers can quickly leverage this flaw to compromise large fleets of devices. European enterprises in sectors such as finance, government, healthcare, and critical infrastructure, which often use Azure AD and device management solutions, are at heightened risk. The vulnerability also raises compliance concerns under GDPR and other data protection regulations due to potential unauthorized access and data breaches.

1. Immediate upgrade to Fleet versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 where the vulnerability is fixed. 2. If upgrading is not immediately possible, temporarily disable Windows MDM enrollment functionality in Fleet to prevent exploitation. 3. Implement strict monitoring and alerting on device enrollment logs to detect anomalous or unauthorized enrollments. 4. Enforce multi-factor authentication and conditional access policies in Azure AD to limit the impact of compromised identities. 5. Conduct regular audits of enrolled devices and user identities to identify and remove unauthorized devices promptly. 6. Harden Fleet server access controls and network segmentation to limit exposure. 7. Educate IT and security teams about this specific vulnerability and ensure rapid incident response capability. 8. Review and update incident response plans to include scenarios involving unauthorized device enrollment and identity spoofing. 9. Collaborate with Fleet community and vendors for timely updates and threat intelligence sharing.