SQL Injection in Dell Wyse Management Suite: CVE-2026-44272 (CVSS 8.8) β Update to 2605
Dell Wyse Management Suite, used to centrally manage fleets of thin clients, has a critical flaw (CVSS 8.8, CVE-2026-44272). A low-privileged logged-in attacker can use SQL injection to reach information and operations beyond their rights, risking the management base. All versions before 2605 are affected; update to 2605 now.
Makoto Horikawa
Backend Engineer / AWS / Django
Dell Wyse Management Suite, used to centrally manage fleets of thin clients, has a critical flaw (CVSS 8.8, CVE-2026-44272). A low-privileged logged-in attacker can use SQL injection to reach information and operations beyond their rights, risking the management base. All versions before 2605 are affected; update to 2605 now.
Dell's Wyse Management Suite (WMS) β the software enterprises use to centrally manage large fleets of "thin clients" (lightweight business terminals that offload processing to a server) β has a high-severity flaw. It is tracked as CVE-2026-44272, with a CVSS score of 8.8 ("High"). It was published as Dell advisory DSA-2026-247 in June 2026 and is listed in NVD.
The bug type is "SQL injection." An attacker who can log in can send crafted strings (for example into input fields) that make the database behind the management console run unintended commands, reaching information and operations that should be off-limits. Dell states that "a low-privileged attacker with remote access could potentially exploit this, leading to unauthorized access." All versions before 2605 are affected, and the fix is 2605.
| Software | Dell Wyse Management Suite (WMS) |
| CVE | CVE-2026-44272 (DSA-2026-247) |
| Severity | CVSS 8.8 (High) |
| Type | SQL injection (CWE-89) |
| Affected | all versions before 2605 |
| Fixed in | 2605 and later |
| Attack conditions | low-privileged login + over the network |
Who is at risk, and what is the damage
The opportunity goes to an attacker who can log in to the WMS console with "low privileges": a limited operator account, stolen low-privilege credentials, or a malicious insider. It is not "anyone from the internet, unconditionally" β the attacker first needs some minimal access.
From that foothold, the attacker uses SQL injection to reach database information and operations their privileges should not allow. An account that was meant to do only limited things can reach into the management database β that is the danger here.
WMS is the command center for the many thin-client endpoints deployed across an organization. If it is breached, the inventory of managed devices, their configuration, and operational settings come into the attacker's view, and in some cases this can lead to unauthorized instructions to the fleet or a foothold for deeper intrusion. Thin clients are widely used in healthcare, finance, call centers, and retail β settings that cannot afford downtime β so the impact of a compromised management base is not small. That is why the update below is urgent.
What is happening, technically
It is classified as CWE-89 (Improper Neutralization of Special Elements in an SQL Command, i.e. SQL injection). When the app builds a database query from user-supplied text and fails to fully neutralize special characters, an attacker can have fragments slipped into the input executed as part of the command β enabling unintended reads or writes.
The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H: over the network, low complexity, no user interaction, with high confidentiality, integrity, and availability impact. The difference from an unauthenticated bug is PR:L β a "low-privileged login" is required. Even so, Dell rates it 8.8 as enough to expand the damage of an attacker who already has an internal foothold.
This is not WMS's first flaw. DSA-2026-103 in February 2026 also fixed several issues (including the remote code execution CVE-2026-22766). As a management base, it is continually targeted and patched, so organizations need a routine of tracking these updates.
Confirmed vs. still unknown
β Confirmed facts
? Not yet confirmed
- ?Whether it has been exploited in the wild β not on CISA KEV at the time of writing
- ?Whether a public PoC exists β no reliable public information confirmed at the time of writing
What to do now
The top priority is to update Wyse Management Suite to 2605 or later. Dell advisory DSA-2026-247 lists the affected and fixed versions and where to get the update. If you run anything before 2605, treat it as affected.
If you cannot update right away, narrow the preconditions. Do not expose the WMS console directly to the internet β keep it behind the internal network or a VPN. Inventory the accounts that can log in, and remove unnecessary privileges and unused accounts. Review low-privilege account passwords and check for signs of compromise. These basics are especially effective against a login-gated bug like this. Also keep an eye on Dell's security advisories so WMS updates are not missed.
Summary
CVE-2026-44272 is a CVSS 8.8 flaw in Dell Wyse Management Suite, which manages thin clients: a low-privileged logged-in attacker can use SQL injection to gain unauthorized access. All versions before 2605 are affected, with a fix in 2605. It requires authentication, so it has more preconditions than an unconditional takeover, but it is a hole that lets an attacker who is already inside expand the damage.
A management base that ties many endpoints together tends to be a target where attackers reach far for little effort. Review the update and the scope of who can log in together.