An application‑layer flaw in the Orbit agent of Fleet device management software allows a local user to inject arbitrary Tcl commands. During the FileVault key rotation flow, a GUI prompt captures a user’s password and inserts it directly into a Tcl/expect script. Because the password is embedded inside a Tcl brace‑quoted string, an input that contains a closing brace prematurely terminates the literal and permits the execution of arbitrary Tcl commands. Since Orbit runs as root, the attacker can run commands with elevated privileges, effectively gaining full root access. This vulnerability is categorized as CWE‑78, a code‑execution flaw caused by unsanitized input.

The defect impacts the open‑source Fleet project, specifically the Orbit agent component. All releases before version 4.81.1 of Fleet are vulnerable. This includes devices running any Fleet release from 4.0 up through 4.81.0, as the FileVault rotation functionality existed unchanged until the patch. The issue is confined to environments where the Orbit agent executes as root and a local user can trigger the password dialog.

With a CVSS v3.1 score of 7.8, the vulnerability is considered high severity. The EPSS score is unavailable, but the advisory notes that exploitation requires local access to the device and the ability to invoke the Disk‑Encryption key rotation routine. A local attacker can simply trigger this action from the Fleet interface or via command line. Because the agent runs as root, the impact is a complete system compromise, providing the attacker with persistence, data exfiltration, and potential lateral movement within the managed environment. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet.