SAML Response Forgery in Fleet Device Management Software
CVE-2025-27509

9.3CRITICAL

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 6 March 2025

What is CVE-2025-27509?

The Fleet device management software has a vulnerability that allows attackers to exploit its handling of SAML responses. An attacker can craft a specially-formed SAML response to forge authentication assertions. This can enable unauthorized individuals to provision administrative accounts if Just-In-Time (JIT) provisioning is enabled, or create accounts linked to forged assertions when Mobile Device Management (MDM) enrollment is active. This issue has been addressed in versions 4.64.2, 4.63.2, 4.62.4, and 4.58.1. For more details and mitigation steps, refer to the security advisory.

Affected Version(s)

fleet >= 4.64.0, < 4.64.2 < 4.64.0, 4.64.2

fleet >= 4.63.0, < 4.63.2 < 4.63.0, 4.63.2

fleet >= 4.62.0, < 4.62.4 < 4.62.0, 4.62.4

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2025
Vulnerability Reserved
Feb 26, 2025

CVE-2025-27509 Data

JSON

Fleetdm

What is CVE-2025-27509?

Affected Version(s)

References

CVSS V4

Timeline