A recent security study showed that linking together what seem like small logic flaws in Dell Wyse Management Suite (WMS) On-Premises can lead to a full system breach. Security researchers showed that an attacker who isn't logged in can get around security controls and run code remotely (RCE) on the management server by combining two different vulnerabilities. Find more Hacking & Cracking VPN subscriptions Open-Source CVE-2026-22765 (CVSS 8.8): A flaw in the authorization process lets a low-privileged remote attacker gain full administrator rights.

CVE-2026-22766 (CVSS 7.2): A flaw that lets anyone upload files without restriction lets a high-privileged remote attacker run any code on the system. On February 23, 2026, Dell released WMS version 5.5 to fix these security holes.

The vulnerabilities only affect the on-premises versions of the free Standard and paid Pro editions. The Exploitation Chain To get to unauthenticated remote code execution, you need to put together flaws in device registration, unprotected API endpoints, and path traversal bypasses. The first step in the attack is registering the device.

In the default setup of the on-premises version, an attacker can add a fake device by sending in an empty group token. attack chain (Source: PT Security) Even though this puts the device in a limited quarantine group, it does give back a device identifier and authentication code, which is the first step needed to interact with the WMS API. With a valid device signature, the attacker can take advantage of Active Directory (AD) import routes that are not properly protected.

The attacker makes a custom role group with administrative privileges by calling the importADUserGroups and addRoleToADGroup API endpoints one after the other. Then, the importADUsers endpoint is changed so that a new administrator account is created for this role. To get into this new account, you have to get past an authentication barrier.

After resetting, a new password (source: PT Security) PTsecurity research shows that attackers can do this in two different ways. The first method takes advantage of a bug in the password reset function. When the attacker imports the administrator with an empty Active Directory User Principal Name (UPN), the system's AD user check fails. This lets the attacker ask for a password reset to an email address outside of the system.

Execution of Commands (Source: PT Security) In Pro environments with LDAP set up, on the other hand, an attacker can give the identifier of a compromised low-privileged domain user during the import process. Let them log in as the administrator with regular domain credentials. The last step uses these new administrative rights to install a harmful JSP web shell.

Even though the application has filters to protect against traditional path traversal attacks, an administrator can change the settings for the local file repository in a bad way. The attacker clears the path configuration cache and gets around all file upload restrictions by changing the repository path to point directly to the Tomcat web root directory and sending an API command to restart the Tomcat service.

Then, an image upload route can be used to upload a JSP payload, which allows for complete remote code execution without authentication. Dell released WMS version 5.5, which fixes these major logic errors and effectively stops the chain of exploitation. System administrators in charge of Dell WMS On-Premises deployments need to update their infrastructure right away to protect their environments from these types of attacks.

Follow us on LinkedIn, Twitter, and X for daily ZeroOwl. Get in touch with us to have your stories featured.