Two Low-Severity Bugs, One Complete Takeover: Dell WMS On-Premises RCE Chain Exposed

CybrPulse

CybrPulse

3 min read
Two Low-Severity Bugs, One Complete Takeover: Dell WMS On-Premises RCE Chain Exposed

A new vulnerability chain published today breaks Dell Wyse Management Suite (WMS) On-Premises wide open — no credentials required, full remote code execution on the management server.

The research comes from PTsecurity. Two bugs that look manageable on paper turn into something that isn't when you chain them. If you run Dell WMS On-Premises and haven't applied the February 23 patch, stop reading this and go patch.

The Bugs

CVE-2026-22765 (CVSS 8.8) — Missing authorization. A low-privileged remote attacker can escalate straight to full administrator.

CVE-2026-22766 (CVSS 7.2) — Unrestricted file upload. A high-privileged attacker can drop and execute arbitrary code on the underlying system.

Neither CVE is catastrophic alone. Chained together, with a little creativity around default configuration, they hand an unauthenticated attacker complete control of the management server. That's every endpoint WMS manages. The blast radius scales with your fleet.

How the Attack Works

The chain starts with device registration. In the default WMS on-premises configuration, an attacker can register a rogue device using an empty group token. Dell throws it into a restricted quarantine group — but still returns a valid device identifier and authentication code. That's the foothold.

From there, the attacker uses that device signature to hit Active Directory import API endpoints that aren't properly protected: `importADUserGroups`, `addRoleToADGroup`, `importADUsers`. Sequential calls to these endpoints let the attacker build a custom role group with administrative privileges and provision a new admin account linked to it.

Getting into that account takes one more step. Two paths exist:

  1. Password reset abuse — Import the administrator with an empty Active Directory User Principal Name. The AD check fails, the system allows a password reset to an external email. Attacker controls the inbox, attacker gets the password.
  1. LDAP pivot (Pro edition) — In environments with LDAP configured, supply a compromised low-privileged domain user's identifier during the import. That account can then authenticate as the new administrator using standard domain credentials.

Now they're in as admin. Final step: deploy a web shell.

WMS has upload filters to block path traversal. The attacker bypasses them by reconfiguring the local file repository path to point at the Tomcat web root directory, then triggering a Tomcat service restart. The restart clears the path configuration cache, stripping the upload restrictions. A JSP payload goes up through the image upload route. Code execution achieved.

Zero credentials in. Full server out.

What's at Risk

WMS On-Premises is a centralized management platform for endpoint fleets. A compromised WMS server isn't just a compromised server — it's a compromised fleet. Patch distribution, configuration management, device control: all of it flows through WMS.

The cloud-hosted version is not affected. This is strictly an on-premises problem. Both the free Standard and paid Pro editions are vulnerable to versions prior to 5.5.

Timeline

  • February 23, 2026 — Dell released WMS version 5.5, patching both CVEs and breaking the exploitation chain.
  • March 24, 2026 — PTsecurity published full technical details of the attack chain.

That's a one-month window between patch availability and public exploit documentation. If you haven't applied it, the attack is now documented and the barrier to exploitation just dropped.

What to Do

Patch first. WMS version 5.5 fixes both vulnerabilities. Standard and Pro editions both need to be updated.

Then audit your logs. Indicators to look for:

  • Device registrations with empty group tokens
  • Anomalous calls to AD import API endpoints — especially `importADUserGroups`, `addRoleToADGroup`, `importADUsers`
  • Tomcat configuration changes you didn't authorize
  • New administrator accounts you didn't provision

Harden registration. Default WMS configuration allows open device registration with empty group tokens. Require validated, non-empty group tokens. If you can't require that immediately, restrict API access to trusted management networks at the network level.

Check LDAP configs in Pro environments. Low-privileged domain accounts shouldn't be usable to authenticate as WMS administrators. Review what LDAP integration grants before someone else does.

The Bigger Lesson

Both CVEs have scores that, individually, might not trigger emergency response. CVE-2026-22766 is a 7.2 — most organizations would patch it on the next cycle, not tonight.

That thinking is the problem. CVSS scores individual bugs. Attackers chain them. PTsecurity's research is a clean example of why "we patch criticals first" isn't a complete strategy when two high-severity issues add up to full unauthenticated RCE.

Dell WMS manages endpoints. Endpoints are where ransomware deploys, where data lives, where attackers want to be. This one is worth treating like the 9.0 it effectively is.

Version 5.5. Now.

Read more