CVE-2026-23518 is a critical cryptographic signature verification vulnerability (CWE-347) in Fleet, an open source device management platform. The vulnerability affects multiple Fleet versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, specifically in the Windows Mobile Device Management (MDM) enrollment flow. Fleet uses JSON Web Tokens (JWTs) to authenticate device enrollment requests. However, due to improper verification of JWT signatures, Fleet accepts tokens with forged signatures, allowing attackers to impersonate arbitrary Azure Active Directory (Azure AD) user identities. This flaw bypasses authentication and authorization controls, enabling unauthorized devices to enroll in the managed environment. Such unauthorized enrollment can lead to device spoofing, unauthorized access to corporate resources, and potential lateral movement within the network. The vulnerability is exploitable remotely over the network without any privileges or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects a critical severity with high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the flaw's nature makes it a prime target for attackers aiming to compromise enterprise device management. The issue is resolved in Fleet versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. Until patched, disabling Windows MDM enrollment is recommended to mitigate risk.

For European organizations, this vulnerability poses a severe risk to device management security, particularly for those leveraging Fleet integrated with Azure AD environments. Unauthorized device enrollment can lead to compromised endpoint security, allowing attackers to introduce rogue devices that appear legitimate. This can facilitate data exfiltration, unauthorized access to sensitive systems, and lateral movement within corporate networks. The breach of device identity integrity undermines trust in endpoint management, potentially disrupting compliance with GDPR and other regulations requiring strict device control and auditability. Critical sectors such as finance, healthcare, and government agencies in Europe, which rely heavily on secure device management and Azure AD, are especially vulnerable. The network-exploitable nature without authentication or user interaction increases the likelihood of widespread exploitation if unpatched. The impact extends beyond confidentiality to integrity and availability, as attackers could manipulate device enrollment to disrupt operations or implant persistent threats.

European organizations should immediately upgrade Fleet to versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 to remediate the vulnerability. If upgrading is not immediately feasible, temporarily disable Windows MDM enrollment functionality to prevent exploitation. Conduct thorough audits of enrolled devices to detect any unauthorized enrollments that may have occurred prior to patching. Implement enhanced monitoring and alerting on device enrollment activities, focusing on anomalous Azure AD identity claims. Restrict network access to Fleet management interfaces to trusted IP ranges and enforce strong network segmentation. Review and tighten Azure AD conditional access policies to limit device enrollment scope. Educate IT and security teams about the vulnerability and ensure incident response plans include scenarios involving rogue device enrollment. Finally, maintain up-to-date inventory and asset management to quickly identify and isolate suspicious devices.