Critical Dell Wyse Management Suite Flaws Let Attackers Fully Compromise Systems
Key Takeaways Two critical vulnerabilities in Dell Wyse Management Suite (WMS) On-Premises allow for full system compromise. Chaining CVE-2026-22765 and CVE-2026-22766 enables unauthenticated remote...
Key Takeaways
- Two critical vulnerabilities in Dell Wyse Management Suite (WMS) On-Premises allow for full system compromise.
- Chaining CVE-2026-22765 and CVE-2026-22766 enables unauthenticated remote code execution (RCE).
- Both Standard (free) and Pro (paid) editions of WMS On-Premises are affected.
- Dell released WMS version 5.5 on February 23, 2026, to address these flaws.
A comprehensive security analysis has revealed a critical series of vulnerabilities within Dell Wyse Management Suite (WMS) On-Premises, which, when exploited in sequence, can lead to a complete compromise of the management server. Researchers demonstrated that combining two distinct, seemingly minor logic flaws allows an unauthenticated attacker to bypass security mechanisms and achieve remote code execution.
Table Of Content
The identified vulnerabilities are:
- CVE-2026-22765 (CVSS 8.8): This flaw involves missing authorization, allowing a remote attacker with low privileges to escalate their access to full administrative control.
- CVE-2026-22766 (CVSS 7.2): An unrestricted file upload vulnerability that permits a high-privileged remote attacker to execute arbitrary code on the underlying system.
Dell has since released WMS version 5.5 on February 23, 2026, to patch these security issues. The vulnerabilities specifically affect on-premises installations of both the free Standard and the paid Pro editions of Dell WMS.
The Exploitation Chain
The path to achieving unauthenticated remote code execution is intricate, relying on the sequential exploitation of device registration flaws, unprotected API endpoints, and path traversal bypasses.
Initial Foothold via Device Registration
The attack sequence commences with device registration. In the default configuration of the on-premises WMS, an attacker can register a rogue device by submitting an empty group token. While this action places the device into a restricted quarantine group, it successfully yields a device identifier and an authentication code, providing the crucial initial access needed to interact with the WMS API.
Privilege Escalation through API Manipulation
With a valid device signature in hand, the attacker can then exploit improperly exposed Active Directory (AD) import routes. By making successive calls to the importADUserGroups and addRoleToADGroup API endpoints, the attacker can craft a custom role group endowed with administrative privileges. Subsequently, the importADUsers endpoint is manipulated to provision a new administrator account linked to this newly created role.
Bypassing Authentication
Gaining access to this newly established administrator account necessitates overcoming an authentication barrier. According to PTsecurity research, attackers have two methods to achieve this. The first method exploits a logic flaw within the password reset function. By importing the administrator with an empty Active Directory User Principal Name (UPN), the system’s AD user verification fails, enabling the attacker to request a password reset to an external email address.
Alternatively, in Pro environments where LDAP is configured, an attacker can supply the identifier of a compromised low-privileged domain user during the import process. This allows them to authenticate as the newly created administrator using standard domain credentials.
Achieving Remote Code Execution
The final stage of the attack leverages these newly acquired administrative privileges to deploy a malicious JSP web shell. Although the application incorporates filters designed to prevent traditional path traversal attacks, an administrator can maliciously reconfigure the local file repository settings. By modifying the repository path to point directly to the Tomcat web root directory and issuing an API command to restart the Tomcat service, the attacker effectively clears the path configuration cache and bypasses all existing file upload restrictions. A JSP payload can then be uploaded through an image upload route, culminating in complete unauthenticated remote code execution.
Dell’s WMS version 5.5 addresses these critical logic flaws, effectively neutralizing the entire exploitation chain. System administrators managing Dell WMS On-Premises deployments are urged to update their infrastructure without delay to safeguard their environments against these severe attack vectors.
What You Should Do
- Immediately update Dell Wyse Management Suite (WMS) On-Premises to version 5.5 or later.
- Verify that the update has been successfully applied across all affected deployments.
- Review system logs for any signs of suspicious activity or unauthorized access attempts prior to patching.
- Ensure proper network segmentation for management interfaces to limit exposure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.