The Thin Client Trap: How a Vulnerability Chain in Dell Wyse Management Suite Unlocks Remote Code Execution

A researcher hailing from Positive Technologies has unearthed a labyrinthine chain of vulnerabilities festering within the Dell Wyse Management Suite. This profoundly critical tribulation empowers an unauthenticated digital marauder to orchestrate the remote execution of arbitrary code upon the sovereign server. The affliction casts its shadow exclusively over the localized, on-premises iteration of the product, an architecture specifically engineered to shepherd fleets of Dell thin clients. On the 23rd of February, 2026, the Dell corporation promulgated an indispensable fortification, encapsulated within version 5.5, to vanquish this peril.

As elucidated by the rigorous forensic dissection published by researcher Aleksandr Zhurnakov upon the PT SWARM chronicle, the kinetic strike is predicated upon the sequential exploitation of discrete frailties. Whilst each vulnerability, in isolation, falls short of a catastrophic crescendo, their unholy synergy culminates in the absolute compromise of the system’s architecture.

Throughout the course of this inquisition, twain distinct vulnerabilities were chronicled and bestowed identifiers: CVE-2026-22765, bearing a formidable CVSS severity score of 8.8, which facilitates the escalation of privileges; and CVE-2026-22766, commanding a score of 7.2, which ultimately unlocks the dominion of remote code execution, contingent upon the acquisition of administrative sovereignty.

The primordial conduit for this bombardment is the apparatus governing device enrollment. Within the on-premises iteration of WMS, the default configurations unwittingly permit the registration of an apparatus bereft of a group token. Such an entity is subsequently relegated to a quarantined enclave and, ostensibly, denied any elevated privileges; nevertheless, it is endowed with specific identifiers that empower it to forge cryptographically signed API petitions.