A recent security analysis has revealed how chaining seemingly minor logic flaws in Dell Wyse Management Suite (WMS) On-Premises can result in a complete system compromise.<\/p>\n
Security researchers demonstrated that combining two distinct vulnerabilities allows an unauthenticated attacker to bypass security controls and achieve remote code execution (RCE) on the management server<\/a>.\u200b<\/p>\n CVE-2026-22765 (CVSS 8.8):<\/strong> A missing authorization flaw allows a low-privileged remote attacker to escalate privileges to full administrator level.<\/p>\n CVE-2026-22766 (CVSS 7.2):<\/strong> An unrestricted file upload vulnerability<\/a> enables a high-privileged remote attacker to execute arbitrary code on the underlying system.<\/p>\n Dell addressed these security flaws with the release of WMS version 5.5 on February 23, 2026. The vulnerabilities specifically impact the on-premises deployments of both the free Standard and paid Pro editions.<\/p>\n The path to unauthenticated remote code execution relies on stringing together device registration flaws, unprotected API endpoints,<\/a> and path traversal bypasses.<\/p>\n The attack begins with device registration. In the default configuration of the on-premises version, an attacker can register a rogue device by submitting an empty group token.<\/p>\n While this places the device into a restricted quarantine group, it successfully returns a device identifier and authentication code, providing the initial foothold needed to interact with the WMS API.\u200b<\/p>\n Armed with a valid device signature, the attacker can exploit improperly exposed Active Directory (AD) import routes.<\/p>\n By sequentially calling the\u00a0importADUserGroups\u00a0and\u00a0addRoleToADGroup\u00a0API endpoints, the attacker constructs a custom role group with administrative privileges.<\/p>\n The\u00a0importADUsers\u00a0endpoint is then manipulated to provision a new administrator account linked to this role.\u200b Accessing this newly created account requires overcoming an authentication barrier.<\/p>\n According to PTsecurity research,<\/a> attackers have two distinct methods to achieve this. The first method exploits a logic flaw in the password reset function.<\/p>\n By importing the administrator with an empty Active Directory User Principal Name (UPN)<\/a>, the system\u2019s AD user check fails, allowing the attacker to request a password reset to an external email address.<\/p>\n Alternatively, in Pro environments with LDAP configured, an attacker can supply the identifier of a compromised low-privileged domain user during the import process.<\/p>\n Allowing them to authenticate as the administrator using standard domain credentials.\u200b The final phase leverages these newly acquired administrative privileges to deploy a malicious JSP web shell.<\/a><\/p>\nThe Exploitation Chain<\/strong><\/h2>\n
![\"attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEioG-9ZcKNBVMNS9nb0F5ZIcpsibPWmCiNxXCX5BLdsv42wEzZPxAGTmMcckCu1Fhlyi-f_3hoW_1rCPnWXy5h-gsOG9G1pUU_PKhavXxWhnxFpC-MuV8b7IGIrX0wwAwE8Gro7xFYQD2FtxLQHyTkEipH5K9VQV7Btchv0HGddtMD_hSJKtCZ-bxRtjek\/s1600\/Screenshot%25202026-03-24%2520185659%2520%25281%2529.webp?ssl=1\")
![\"New](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitsshFSqKgJOEXQVQB0F_tdiQaM7TL63Q5EKA76C6yIzsz1-gM71ACqwgzaCW07Cy37NRbYaiNtVgS37CICaFkebcK77wbCoWUCmaEY_92fpTN2-0FNubqA6-RRMBWLKjSdljHB_NI8ScbwEzXuaHo57mCboEJ8-YUFWV647bmPgbWfW6cufO5JCONvJw\/s1600\/Screenshot%25202026-03-24%2520185719%2520%25281%2529.webp?ssl=1\")
![\"Command](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj21RTx1GaMnga4hoUdWAXu07efh-w1BzmTmDRkt5M0NP21iP49b77L-SsmxaSv0j2KffVb2jDIbx_ohj_fWiYH3Rrw3tVm1AkUlRGZZsB26HJGrjbeoSiGMhmJ8RHLgr7n60Tlqssod_vaiapkDiBb5fqAtCklE-PAfb69vJEyPIkq5ZlR2xjccGpNO4s\/s1600\/Screenshot%25202026-03-24%2520185733%2520%25281%2529.webp?ssl=1\")