CVE-2026-27806: Local Privilege Escalation via Tcl Script Injection in Fleet DM Orbit Agent

The Fleet DM Orbit agent functions as a management utility for macOS endpoints, operating with system-level root privileges. A critical component of its feature set involves managing macOS FileVault disk encryption, including the periodic rotation of recovery keys. To perform these system-level tasks interactively, the Orbit agent acts as a privileged intermediary between the operating system and the local user.

CVE-2026-27806 represents a local privilege escalation vulnerability within this FileVault key rotation workflow. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command. The attack surface is exposed specifically when the Orbit agent presents a graphical user interface dialog requesting the local user's password to authenticate a key change.

The core issue stems from how the Orbit agent processes the user-provided password before passing it to underlying system utilities. The agent dynamically generates a script to handle authentication, failing to sanitize specific control characters. Successful exploitation permits an unprivileged local user to inject arbitrary instructions into this privileged execution flow.

Exploitation results in full host compromise. Because the Orbit agent requires root access to interact with FileVault APIs, any injected instructions execute within this elevated context. This allows an attacker to bypass standard macOS security boundaries without requiring administrative credentials.

The mechanism for FileVault key rotation in Fleet relies on the native macOS fdesetup command-line utility. Since fdesetup requires interactive password entry, the Orbit agent automates this interaction by dynamically generating a Tcl/expect script. This script receives the user's password from the GUI prompt and feeds it to the fdesetup process via the expect runtime.

The root cause of the vulnerability lies in the method used to embed the user's password into the expect script. The Orbit agent interpolates the plaintext password directly into a brace-quoted string within the Tcl script, utilizing standard string formatting functions. The generated script executes via a system call structured as exec.Command("expect", "-c", script).

In the Tcl scripting language, braces {} denote literal strings where variable substitution and command execution are disabled. The Orbit agent places the user password inside these braces, generating a command formatted as send {password}. The developers assumed the braces would safely encapsulate any input provided by the user.

However, the implementation fails to neutralize or escape the closing brace character } within the user input. If a user submits a password containing }, the Tcl interpreter treats it as the termination of the literal string block. Any subsequent characters supplied in the input are then parsed and evaluated as standard Tcl syntax, enabling direct command injection into the expect interpreter.

The vulnerable execution path begins in the Go source code of the Orbit agent, where the Tcl script is assembled. The agent constructs the payload using fmt.Sprintf, placing the external variable directly into the Tcl command structure. The application does not apply filtering or escaping routines to the input variable prior to formatting.

// Vulnerable implementation concept
script := fmt.Sprintf(`
spawn fdesetup changerecovery -personal
expect "Enter the user name:"
send "%s\r"
expect "Enter the password for the user:"
send {%s}\r
expect eof
`, username, password)
 
cmd := exec.Command("expect", "-c", script)
err := cmd.Run()

When the resulting string is passed to the expect binary via the -c flag, the interpreter evaluates the entire text block. The injection point occurs precisely at the send {%s} instruction. If the password variable contains control characters such as }, ;, and exec, the syntax tree parsed by Tcl is fundamentally altered.

The fix implemented in version 4.81.1 eliminates this injection vector. Secure implementations for handling credentials in spawned processes require passing sensitive data via environment variables or standard input pipelines, rather than concatenating them into executable script bodies. When string interpolation is strictly necessary, robust sanitization functions must strip or escape all syntax-breaking characters.

An attacker initiates the exploit by interacting with the Orbit agent during a scheduled or forced FileVault key rotation event. The attacker must possess local access to the macOS host and be the target of the key rotation prompt. No advanced network positioning or prior administrative rights are required.

The core of the exploit involves crafting a password payload that deliberately breaks the Tcl string literal formatting. The payload must begin with a valid or dummy string, followed by the closing brace } to exit the send argument. A semicolon ; is then used as the Tcl command separator, instructing the interpreter to evaluate the subsequent string as a new command.

password} ; exec /bin/sh -c "cp /bin/sh /tmp/rootshell && chmod +s /tmp/rootshell" ; #

When the Orbit agent processes this payload, the resulting interpolated line becomes send {password} ; exec /bin/sh -c "cp /bin/sh /tmp/rootshell && chmod +s /tmp/rootshell" ; #}. The send command executes first. Next, the Tcl exec command spawns a shell process to execute the payload. The trailing #} comments out the original script's closing brace and newline, preventing a syntax error that would halt execution.

The injected shell commands inherit the user context of the parent expect process. Because the Orbit agent invoked expect as root, the copied /bin/sh executable receives the setuid bit and is owned by root. The attacker subsequently executes /tmp/rootshell -p to acquire a persistent, interactive root shell on the system.

The vulnerability carries a CVSS v3.1 base score of 7.8 (High), reflecting the severity of a local privilege escalation without user interaction prerequisites beyond the standard system workflow. The vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that confidentiality, integrity, and availability are fully compromised upon successful execution.

Exploitation grants the attacker unconstrained root access to the macOS endpoint. This level of access permits the installation of persistent kernel extensions, modification of security audit configurations, and access to all protected user directories. Attackers can bypass standard macOS Transparency, Consent, and Control (TCC) protections by manipulating the underlying SQLite databases.

In an enterprise environment, the compromise of a management agent presents severe secondary risks. The attacker gains the ability to extract Fleet DM enrollment secrets, manipulate local OSquery instrumentation to feed false telemetry to the management console, or harvest credentials stored in system memory.

The vulnerability is highly reliable because it does not rely on memory corruption primitives or race conditions. The attack exploits deterministic script parsing logic, resulting in a 100% success rate on vulnerable versions. The limitation is the attack vector, which requires the attacker to wait for or trigger the specific FileVault key rotation dialogue.

Organizations utilizing Fleet DM must upgrade the Orbit agent to version 4.81.1 or later across their entire macOS fleet. Fleet administrators should utilize the management console to enforce this update policy and verify compliance. The patch correctly processes credential input, preventing the syntax boundary breakout.

Administrators should leverage OSquery to audit endpoint versions and verify the absence of vulnerable software. Queries should target the installed Orbit agent binaries, specifically filtering for version numbers prior to 4.81.1. This ensures no orphaned or unmanaged installations remain active on corporate endpoints.

If immediate patching is not feasible, administrators can temporarily mitigate the risk by suspending automated FileVault key rotation policies. Disabling the feature that triggers the GUI prompt removes the user input vector required for exploitation. This is an interim workaround and does not patch the underlying binary flaw.

Security operation centers should implement detection rules to monitor for exploitation attempts. Anomalous child processes spawned by expect running as root are a primary indicator of compromise. Suspicious activities include the creation of setuid binaries in /tmp or the execution of reverse shell payloads immediately following fdesetup execution.