Fleet MDM Vulnerability: SQL Injection Threatens Sensitive Data

/HIGH
SCW vulnerabilitycveidentitytools
Fleet MDM Vulnerability: SQL Injection Threatens Sensitive Data

CVE Notify is flagging a critical second-order SQL injection vulnerability (CVE-2026-34385) impacting Fleet, the open-source device management software. They report that prior to version 4.81.0, an attacker possessing a valid MDM enrollment certificate could exploit this flaw. The vulnerability resides within Fleet’s Apple MDM profile delivery pipeline. Exploitation could lead to the exfiltration or modification of the Fleet database contents, a serious risk given the sensitive information it likely stores.

According to CVE Notify, the compromised data could include user credentials, API tokens, and crucial device enrollment secrets. This means a successful attack could grant an adversary deep access into an organization’s device management infrastructure, potentially enabling further lateral movement and compromise. Fleet has since patched this vulnerability in version 4.81.0, making an immediate upgrade a top priority for all users.

What This Means For You

  • Organizations using Fleet should immediately verify their current version and upgrade to 4.81.0 or later to mitigate the risk of CVE-2026-34385. For those unable to upgrade immediately, review and rotate any exposed credentials or API tokens that may have been previously accessible through the MDM pipeline.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Database Components Initial Access T1071.004 Application Layer Protocol: DNS Command and Control

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-34385

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

Indicators of Compromise

IDTypeIndicator
CVE-2026-34385 SQLi Fleet < 4.81.0, Apple MDM profile delivery pipeline, second-order SQL injection
CVE-2026-34385 Information Disclosure Fleet < 4.81.0, Apple MDM profile delivery pipeline, exfiltrate database contents (user credentials, API tokens, device enrollment secrets)
CVE-2026-34385 Code Injection Fleet < 4.81.0, Apple MDM profile delivery pipeline, modify database contents (user credentials, API tokens, device enrollment secrets)

By Shimi's Cyber World Editorial

Related coverage

Featured

Daily Security Digest — 2026-05-22

13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-88privilege-escalationcwe-863criticalremote-code-executioncwe-434
/SCW Daily Digest /CRITICAL

Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports

SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...

threat-intelvulnerabilityidentity
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

Ubiquiti Patches Three Max Severity UniFi OS Vulnerabilities

Ubiquiti has rolled out critical security updates addressing three maximum severity vulnerabilities in UniFi OS. BleepingComputer reports these flaws, tracked as CVE-2023-48092, CVE-2023-48093, and CVE-2023-48094,...

threat-inteldata-breachmalwarevulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 1 Sigma