Fleet is an open source device management platform used to control and secure endpoints. In versions before 4.80.1, the device lock and wipe feature generates a 6-digit PIN to unlock devices. This PIN is deterministically derived from the current Unix timestamp without incorporating any secret key or additional entropy, resulting in insufficient randomness (CWE-330). Because the PIN generation algorithm is predictable, an attacker who gains physical possession of a locked device and knows approximately when the lock command was issued can attempt to guess the PIN by iterating over a limited range of timestamps. However, several factors constrain exploitation: physical access is mandatory, the operating system enforces rate limiting on PIN entry attempts, and the device wipe operation typically completes before enough attempts can be made to guess the PIN successfully. The vulnerability does not enable remote attacks, fleet-wide compromise, or bypass of Fleet’s authentication mechanisms. The issue was addressed in Fleet version 4.80.1 by improving the randomness of PIN generation. No known workarounds exist, and no exploits have been reported in the wild. The CVSS 4.0 vector indicates a low severity with partial attack complexity and attack requiring physical access but no privileges or user interaction.

The primary impact of this vulnerability is the potential for an attacker with physical access to a locked device to bypass the lock by predicting the PIN used for unlocking or wiping the device. This could lead to unauthorized device access or premature device wipe, potentially resulting in data loss or device unavailability. However, the impact is limited due to the need for physical access, the requirement to know the approximate lock time, and the operating system’s rate limiting on PIN attempts. Organizations using Fleet for device management may face increased risk if devices are lost or stolen and the attacker is capable of exploiting this vulnerability before the device wipe completes. There is no risk of remote compromise or broader fleet-wide attacks, so the threat is localized to individual devices. The vulnerability could undermine trust in device lock mechanisms if exploited, but overall risk to organizational confidentiality, integrity, and availability is low.

Organizations should upgrade Fleet to version 4.80.1 or later immediately to ensure the PIN generation uses sufficient entropy and is not predictable. Until upgraded, physical security controls should be strengthened to prevent unauthorized physical access to devices, especially those that may be locked remotely. Monitoring and alerting on device lock and wipe events can help detect suspicious activity. Rate limiting and lockout policies on devices should be reviewed and enforced to minimize brute force attempts. Additionally, organizations should consider implementing multi-factor authentication or additional device protection mechanisms beyond the Fleet PIN where possible. Regular audits of device management configurations and incident response plans for lost or stolen devices will further reduce risk. Since no workarounds exist, patching is the primary remediation.