9.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27509

CVE-2025-27509: Fleet has SAML authentication vulnerability due to improper SAML response validation

Impact

In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:

Forge authentication assertions, potentially impersonating legitimate users.
If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.

This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration.

Patches

This issue is addressed in commit fc96cc4 and is available in Fleet version 4.64.2.

The following backport versions also address this issue:

4.63.2
4.62.4
4.58.1
4.53.2

Workarounds

If an immediate upgrade is not possible, Fleet users should temporarily disable single-sign-on (SSO) and use password authentication.

Credit

Thank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our responsible disclosure process.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com
Join #fleet in osquery Slack

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-27509

CVE-2025-27509:

9.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/fleetdm/fleet/v4	go	>= 4.64.0, < 4.64.2	4.64.2
github.com/fleetdm/fleet/v4	go	>= 4.63.0, < 4.63.2	4.63.2
github.com/fleetdm/fleet/v4	go	>= 4.62.0, < 4.62.4	4.62.4
github.com/fleetdm/fleet/v4	go	>= 4.54.0, < 4.58.1	4.58.1
github.com/fleetdm/fleet/v4	go	< 4.53.2	4.53.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper SAML response validation. The commit diff shows critical changes to validateAssertionSignature - the original version used etreeutils.NSFindIterate which allowed processing multiple assertions without strict namespace enforcement. The patched version adds explicit checks for: 1) Exactly one Assertion element 2) Correct namespace 3) Signature validation. The CWE-74 (Injection) maps to processing untrusted XML elements, while CWE-285 (Authorization) relates to failing to properly authenticate assertions. The validateSignature() function's error handling (falling back to assertion validation without proper safeguards) created the entry point for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-27509: Fleet has SAML authentication vulnerability due to improper SAML response validation

Impact

Patches

Workarounds

Credit

For more information

CVE-2025-27509:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-27509: Fleet has SAML authentication vulnerability due to improper SAML response validation

Impact

Patches

Workarounds

Credit

For more information

9.3

9.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI