Executive Summary

CVE-2026-34391 is a high-severity vulnerability in Fleet's Windows Mobile Device Management (MDM) command processing affecting versions prior to 4.81.1.

The flaw allows a malicious enrolled Windows device to access MDM commands intended for other devices within the same Fleet environment.

This happens because when a Windows device reports a specific SyncML status code during MDM communication, Fleet tries to resend the original command by looking it up in a shared command table.

A device-controlled value used in this lookup is not properly validated or scoped, enabling the attacker to match and retrieve commands belonging to other enrolled devices.

These matched commands may include sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads, which are then re-queued and delivered to the attacker’s device on the next check-in.

Exploitation requires the attacker to have a device enrolled in Fleet’s Windows MDM.

The vulnerability does not affect environments where Windows MDM is disabled or where no Windows devices are enrolled.

The issue is fixed in Fleet version 4.81.1 and later.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a malicious enrolled Windows device to access sensitive configuration data intended for other devices, such as WiFi credentials, VPN secrets, and certificate payloads. Exposure of such sensitive information could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized disclosure.

Organizations using Fleet prior to version 4.81.1 may face increased risk of data breaches due to this vulnerability, potentially impacting their compliance posture until the issue is patched or mitigated.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a malicious enrolled Windows device to access sensitive MDM commands intended for other devices.

As a result, sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet may be exposed to an attacker.

This exposure can lead to unauthorized access to network resources, compromise of secure communications, and potential further exploitation within the managed environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a malicious enrolled Windows device exploiting Fleet's Windows MDM command processing by sending a specific SyncML status code to trigger command resending. Detection would involve monitoring Fleet's Windows MDM communication for unusual SyncML status codes or unexpected command lookups in the shared command table.

Since the vulnerability exploits the handling of SyncML status codes and command resending, network or system detection could focus on identifying devices that repeatedly trigger command resends or access commands intended for other devices.

However, no specific detection commands or tools are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Fleet to version 4.81.1 or later, where the vulnerability is fixed.

If immediate upgrade is not possible, a temporary mitigation is to disable Windows MDM functionality in Fleet, as the vulnerability only affects environments with Windows MDM enabled and enrolled Windows devices.

Useful 0 Not Useful 0