Fleet, an open-source platform widely used for IT and security operations, has released a critical security update addressing CVE-2025-27509, a high-severity vulnerability impacting SAML authentication. With a CVSSv4 score of 9.3, this flaw allows attackers to forge authentication assertions, potentially leading to administrative compromise.
Fleet, trusted by organizations such as Fastly and Gusto for vulnerability reporting, device management (MDM), and security monitoring, identified an improper validation of SAML responses in vulnerable versions of its platform. According to Fleet’s security advisory: “In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, potentially impersonating legitimate users.”
This flaw is particularly dangerous in environments where Just-In-Time (JIT) provisioning or MDM enrollment is enabled, as attackers could:
- Create new administrative accounts by exploiting JIT provisioning.
- Leverage MDM enrollment to tie new accounts to forged SAML assertions.
- Gain unauthorized access to Fleet, with potential administrative privileges, visibility into sensitive device data, and modification of security configurations.
This vulnerability was responsibly reported by @hakivvi, alongside Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team.
Fleet has rolled out patches to address this critical vulnerability. The fix is available in version 4.64.2, along with backports for versions 4.63.2, 4.62.4, 4.58.1, and 4.53.2. If you’re running any earlier version, you are strongly advised to upgrade immediately. The patch is tied to commit fc96cc4, for those who want to dig into the technical details.
However, if an immediate upgrade isn’t feasible, Fleet has provided a temporary workaround: “If an immediate upgrade is not possible, Fleet users should temporarily disable single-sign-on (SSO) and use password authentication.” This will mitigate the risk until you can apply the necessary updates.
Related Posts:
- Researchers Detail Ruby-SAML/GitLab Flaw (CVE-2024-45409) Allows SAML Authentication Bypass
- CVE-2024-52975 (CVSS 9.0): Fleet Server Update Patches Critical Information Exposure Vulnerability
- Unpatched Syrus4 Vulnerability Threatens Thousands of Vehicles
