Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/Critical Dell Wyse Management Suite Flaws Let Attackers Fully Compromise Systems
CyberSecurity News

Critical Dell Wyse Management Suite Flaws Let Attackers Fully Compromise Systems

Key Takeaways Two critical vulnerabilities in Dell Wyse Management Suite (WMS) On-Premises allow for full system compromise. Chaining CVE-2026-22765 and CVE-2026-22766 enables unauthenticated remote...

Sarah simpson
Sarah simpson
March 24, 2026 3 Min Read
35 0

Key Takeaways

  • Two critical vulnerabilities in Dell Wyse Management Suite (WMS) On-Premises allow for full system compromise.
  • Chaining CVE-2026-22765 and CVE-2026-22766 enables unauthenticated remote code execution (RCE).
  • Both Standard (free) and Pro (paid) editions of WMS On-Premises are affected.
  • Dell released WMS version 5.5 on February 23, 2026, to address these flaws.

A comprehensive security analysis has revealed a critical series of vulnerabilities within Dell Wyse Management Suite (WMS) On-Premises, which, when exploited in sequence, can lead to a complete compromise of the management server. Researchers demonstrated that combining two distinct, seemingly minor logic flaws allows an unauthenticated attacker to bypass security mechanisms and achieve remote code execution.

Table Of Content

  • Key Takeaways
  • The Exploitation Chain
  • Initial Foothold via Device Registration
  • Privilege Escalation through API Manipulation
  • Bypassing Authentication
  • Achieving Remote Code Execution
  • What You Should Do

The identified vulnerabilities are:

  • CVE-2026-22765 (CVSS 8.8): This flaw involves missing authorization, allowing a remote attacker with low privileges to escalate their access to full administrative control.
  • CVE-2026-22766 (CVSS 7.2): An unrestricted file upload vulnerability that permits a high-privileged remote attacker to execute arbitrary code on the underlying system.

Dell has since released WMS version 5.5 on February 23, 2026, to patch these security issues. The vulnerabilities specifically affect on-premises installations of both the free Standard and the paid Pro editions of Dell WMS.

The Exploitation Chain

The path to achieving unauthenticated remote code execution is intricate, relying on the sequential exploitation of device registration flaws, unprotected API endpoints, and path traversal bypasses.

Initial Foothold via Device Registration

The attack sequence commences with device registration. In the default configuration of the on-premises WMS, an attacker can register a rogue device by submitting an empty group token. While this action places the device into a restricted quarantine group, it successfully yields a device identifier and an authentication code, providing the crucial initial access needed to interact with the WMS API.

Privilege Escalation through API Manipulation

With a valid device signature in hand, the attacker can then exploit improperly exposed Active Directory (AD) import routes. By making successive calls to the importADUserGroups and addRoleToADGroup API endpoints, the attacker can craft a custom role group endowed with administrative privileges. Subsequently, the importADUsers endpoint is manipulated to provision a new administrator account linked to this newly created role.

Bypassing Authentication

Gaining access to this newly established administrator account necessitates overcoming an authentication barrier. According to PTsecurity research, attackers have two methods to achieve this. The first method exploits a logic flaw within the password reset function. By importing the administrator with an empty Active Directory User Principal Name (UPN), the system’s AD user verification fails, enabling the attacker to request a password reset to an external email address.

Alternatively, in Pro environments where LDAP is configured, an attacker can supply the identifier of a compromised low-privileged domain user during the import process. This allows them to authenticate as the newly created administrator using standard domain credentials.

Achieving Remote Code Execution

The final stage of the attack leverages these newly acquired administrative privileges to deploy a malicious JSP web shell. Although the application incorporates filters designed to prevent traditional path traversal attacks, an administrator can maliciously reconfigure the local file repository settings. By modifying the repository path to point directly to the Tomcat web root directory and issuing an API command to restart the Tomcat service, the attacker effectively clears the path configuration cache and bypasses all existing file upload restrictions. A JSP payload can then be uploaded through an image upload route, culminating in complete unauthenticated remote code execution.

Dell’s WMS version 5.5 addresses these critical logic flaws, effectively neutralizing the entire exploitation chain. System administrators managing Dell WMS On-Premises deployments are urged to update their infrastructure without delay to safeguard their environments against these severe attack vectors.

What You Should Do

  • Immediately update Dell Wyse Management Suite (WMS) On-Premises to version 5.5 or later.
  • Verify that the update has been successfully applied across all affected deployments.
  • Review system logs for any signs of suspicious activity or unauthorized access attempts prior to patching.
  • Ensure proper network segmentation for management interfaces to limit exposure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

TeamPCP Deploys CanisterWorm Kubernetes Wiper in Iran Attacks

Next Post

HackerOne Data Breach: Employee Data Stolen Via Navia IT Systems Hack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us