How a Russian researcher hacked Dell through a "secure" zone.
A researcher from Positive Technologies discovered a chain of vulnerabilities in Dell Wyse Management Suite that allows an unauthenticated attacker to remotely execute arbitrary code on a server. The issue affects the on-prem version of the product, which is designed to manage a fleet of Dell thin clients. Dell released a fix in version 5.5, released on February 23, 2026.
According to a technical analysis published by researcher Alexander Zhurnakov on the PT SWARM blog , the attack is based on the sequential exploitation of several vulnerabilities, each of which, individually, does not produce a critical result, but, taken together, leads to a complete compromise of the system.
During the research, two vulnerabilities with assigned identifiers were identified: CVE-2026-22765 with a CVSS score of 8.8, which allows for privilege escalation, and CVE-2026-22766 with a score of 7.2, which allows for remote code execution with administrative access.
The entry point for the attack is the device registration mechanism. In the local version of WMS, with default settings, device registration is allowed without specifying a group token. Such a device is placed in a quarantine group and formally receives no privileges, but it is assigned identifiers that allow the generation of signed API requests.
Through these requests, the researcher gained access to Active Directory user import endpoints, which, according to Dell documentation, are only available in the paid Pro version. In practice, the free Standard version also processed calls to these routes. Using three consecutive API requests, he was able to create a role group, assign administrative rights to it, and import a new user with full administrator privileges.
The password is generated automatically during import and is not disclosed, but the restriction was circumvented through the password reset mechanism. The application blocks password resets for Active Directory users by checking that certain account fields are complete. If the AdUPN field is left blank during import, the check fails, and a password reset link is sent to the specified external email address.
Having gained administrative access, the researcher changed the path of the local WMS file repository to the root directory of the Tomcat web application, which supports JSP execution. After restarting the Tomcat service, initiated via the administrative API, the uploaded JSP file became executable, allowing arbitrary commands to be executed on the server.
Zhurnakov reported the vulnerabilities to Dell on December 24, 2025. The vendor acknowledged the issue on December 30, and published a CVE and associated advisory on February 25, 2026. A technical analysis was published on March 23, 2026, after approval from Dell.
A researcher from Positive Technologies discovered a chain of vulnerabilities in Dell Wyse Management Suite that allows an unauthenticated attacker to remotely execute arbitrary code on a server. The issue affects the on-prem version of the product, which is designed to manage a fleet of Dell thin clients. Dell released a fix in version 5.5, released on February 23, 2026.
According to a technical analysis published by researcher Alexander Zhurnakov on the PT SWARM blog , the attack is based on the sequential exploitation of several vulnerabilities, each of which, individually, does not produce a critical result, but, taken together, leads to a complete compromise of the system.
During the research, two vulnerabilities with assigned identifiers were identified: CVE-2026-22765 with a CVSS score of 8.8, which allows for privilege escalation, and CVE-2026-22766 with a score of 7.2, which allows for remote code execution with administrative access.
The entry point for the attack is the device registration mechanism. In the local version of WMS, with default settings, device registration is allowed without specifying a group token. Such a device is placed in a quarantine group and formally receives no privileges, but it is assigned identifiers that allow the generation of signed API requests.
Through these requests, the researcher gained access to Active Directory user import endpoints, which, according to Dell documentation, are only available in the paid Pro version. In practice, the free Standard version also processed calls to these routes. Using three consecutive API requests, he was able to create a role group, assign administrative rights to it, and import a new user with full administrator privileges.
The password is generated automatically during import and is not disclosed, but the restriction was circumvented through the password reset mechanism. The application blocks password resets for Active Directory users by checking that certain account fields are complete. If the AdUPN field is left blank during import, the check fails, and a password reset link is sent to the specified external email address.
Having gained administrative access, the researcher changed the path of the local WMS file repository to the root directory of the Tomcat web application, which supports JSP execution. After restarting the Tomcat service, initiated via the administrative API, the uploaded JSP file became executable, allowing arbitrary commands to be executed on the server.
Zhurnakov reported the vulnerabilities to Dell on December 24, 2025. The vendor acknowledged the issue on December 30, and published a CVE and associated advisory on February 25, 2026. A technical analysis was published on March 23, 2026, after approval from Dell.
