diff --git a/changes/19928-empty-certs b/changes/19928-empty-certs
new file mode 100644
index 0000000000..1c080369dd
--- /dev/null
+++ b/changes/19928-empty-certs
@@ -0,0 +1 @@
+* Fixed a server panic when sending a request to `/mdm/apple/mdm` without certificate headers.
diff --git a/server/mdm/crypto/scep.go b/server/mdm/crypto/scep.go
index f8746f282f..1367030bf4 100644
--- a/server/mdm/crypto/scep.go
+++ b/server/mdm/crypto/scep.go
@@ -23,6 +23,10 @@ func NewSCEPVerifier(ds fleet.MDMAssetRetriever) *SCEPVerifier {
 }
 
 func (s *SCEPVerifier) Verify(cert *x509.Certificate) error {
+	if cert == nil {
+		return errors.New("no certificate provided")
+	}
+
 	opts := x509.VerifyOptions{
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		Roots:     x509.NewCertPool(),
diff --git a/server/mdm/crypto/scep_test.go b/server/mdm/crypto/scep_test.go
new file mode 100644
index 0000000000..a8865b58f9
--- /dev/null
+++ b/server/mdm/crypto/scep_test.go
@@ -0,0 +1,13 @@
+package mdmcrypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSCEPVerifierVerifyEmptyCerts(t *testing.T) {
+	v := &SCEPVerifier{}
+	err := v.Verify(nil)
+	require.ErrorContains(t, err, "no certificate provided")
+}
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index b8149a546f..23f8fc3c19 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -9075,3 +9075,9 @@ func (s *integrationMDMTestSuite) TestSilentMigrationGotchas() {
 	require.True(t, resp.Notifications.RenewEnrollmentProfile)
 	require.False(t, resp.Notifications.NeedsMDMMigration)
 }
+
+func (s *integrationMDMTestSuite) TestMDMRequestWithoutCerts() {
+	t := s.T()
+	res := s.DoRawNoAuth("PUT", "/mdm/apple/mdm", nil, http.StatusBadRequest)
+	require.NoError(t, res.Body.Close())
+}