Security researchers have disclosed a dangerous exploit chain in Dell Wyse Management Suite (WMS) On-Prem that could allow an unauthenticated attacker to achieve remote code execution on exposed servers. The issue was detailed by Positive Technologies, which showed how several smaller weaknesses could be linked together into a full compromise.
Attack Starts With Device Registration
According to the research, the attack begins with the way WMS handles device registration. In default conditions, the on-prem version may allow a device to register using an empty group token. Instead of blocking the request, the platform places the device into a quarantine group.
At first glance, that behavior may not look critical. However, the researcher found that even limited device access was enough to interact with additional API routes and move further into the application.
Active Directory Import Logic Opened the Door
The next stage of the attack involved Active Directory import functions. Once the fake device was registered, the attacker could reportedly access endpoints tied to importing users, creating AD-backed role groups, and assigning privileges.
By abusing this business logic, an attacker could create a new administrative account in the management platform. This turned what looked like a low-severity device registration problem into a much more serious privilege escalation path.
Authentication Bypass Made Admin Access Possible
After creating the admin account, the remaining challenge was authentication. The research describes two possible ways to solve that problem.
One path involved abusing the password reset process for imported users. Another applied to Pro deployments with LDAP enabled, where the newly created administrator could be mapped to a compromised domain account.
With that, the attacker could gain administrative access to the Dell Wyse Management Suite console.
File Upload Abuse Led to Remote Code Execution
The final phase of the chain targeted file handling. Researchers found that an administrator could change the local repository path to Tomcat’s web root and then restart Tomcat so the new path would be loaded.
That made it possible to upload a JSP web shell through an image upload function. Once the file landed in the web-accessible directory, the attacker could execute commands remotely on the server.
In practical terms, this meant the full chain could end in unauthenticated remote code execution.
CVEs and Patch Information
The research identified CVE-2026-22765 with a CVSS score of 8.8 and CVE-2026-22766 with a CVSS score of 7.2. While each issue is serious on its own, the real risk comes from chaining them together.
Dell addressed the problems in Wyse Management Suite 5.5, released on February 23, 2026.
Why This Matters
The findings highlight how business logic flaws and configuration weaknesses can become highly dangerous when combined. Organizations running Dell Wyse Management Suite On-Prem should patch immediately and review whether management interfaces, LDAP integrations, or related services are exposed to untrusted networks.
No Comment! Be the first one.