A recent security analysis has revealed how chaining seemingly minor logic flaws in Dell Wyse Management Suite (WMS) On-Premises can result in a complete system compromise.
Security researchers demonstrated that combining two distinct vulnerabilities allows an unauthenticated attacker to bypass security controls and achieve remote code execution (RCE) on the management server.
CVE-2026-22765 (CVSS 8.8): A missing authorization flaw allows a low-privileged remote attacker to escalate privileges to full administrator level.
CVE-2026-22766 (CVSS 7.2): An unrestricted file upload vulnerability enables a high-privileged remote attacker to execute arbitrary code on the underlying system.
Dell addressed these security flaws with the release of WMS version 5.5 on February 23, 2026. The vulnerabilities specifically impact the on-premises deployments of both the free Standard and paid Pro editions.
The Exploitation Chain
The path to unauthenticated remote code execution relies on stringing together device registration flaws, unprotected API endpoints, and path traversal bypasses.
The attack begins with device registration. In the default configuration of the on-premises version, an attacker can register a rogue device by submitting an empty group token.
While this places the device into a restricted quarantine group, it successfully returns a device identifier and authentication code, providing the initial foothold needed to interact with the WMS API.
Armed with a valid device signature, the attacker can exploit improperly exposed Active Directory (AD) import routes.
By sequentially calling the importADUserGroups and addRoleToADGroup API endpoints, the attacker constructs a custom role group with administrative privileges.
The importADUsers endpoint is then manipulated to provision a new administrator account linked to this role. Accessing this newly created account requires overcoming an authentication barrier.
According to PTsecurity research, attackers have two distinct methods to achieve this. The first method exploits a logic flaw in the password reset function.
By importing the administrator with an empty Active Directory User Principal Name (UPN), the system’s AD user check fails, allowing the attacker to request a password reset to an external email address.
Alternatively, in Pro environments with LDAP configured, an attacker can supply the identifier of a compromised low-privileged domain user during the import process.
Allowing them to authenticate as the administrator using standard domain credentials. The final phase leverages these newly acquired administrative privileges to deploy a malicious JSP web shell.
Although the application implements filters against traditional path traversal attacks, an administrator can maliciously reconfigure the local file repository settings.
By modifying the repository path to point directly to the Tomcat web root directory and issuing an API command to restart the Tomcat service, the attacker clears the path configuration cache and bypasses all file upload restrictions.
A JSP payload can then be uploaded through an image upload route, resulting in complete unauthenticated remote code execution.
Dell released WMS version 5.5, which rectifies these critical logic flaws and effectively breaks the exploitation chain.
System administrators managing Dell WMS On-Premises deployments must update their infrastructure immediately to secure their environments against these attack vectors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
