CVE-2025-27509

CRITICAL Year: 2025
Weakness Type
CWE-285
View all →

Vulnerability Description

fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrollment is enabled. This vulnerability is fixed in 4.64.2, 4.63.2, 4.62.4, and 4.58.1.

Related Vulnerabilities

CVE-2020-5206

CRITICAL
CVSS:10.0(Critical)

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect give...

CWE-2852020

CVE-2021-31384

CRITICAL
CVSS:10.0(Critical)

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an ...

CWE-2852021

CVE-2021-37705

CRITICAL
CVSS:10.0(Critical)

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Direc...

CWE-2852021

CVE-2020-3374

CRITICAL
CVSS:9.9(Critical)

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive informat...

CWE-2852020

CVE-2025-29827

CRITICAL
CVSS:9.9(Critical)

Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

CWE-2852025