CVE-2022-46676

Vulnerability

Wyse Management Suite versions 3.8 and earlier (including all prior releases) contain an improper access control vulnerability (CVE-2022-46676). The flaw allows a user with group admin privileges to disable or delete users under administration and unassigned admins for which the group admin is not authorized. The code path is reachable when a group admin is able to access account management functions that do not enforce proper authorization checks.

Exploitation

An attacker must possess a valid admin account with group-level privileges and be able to authenticate to the Wyse Management Suite web interface. No additional network position or user interaction is required beyond standard authenticated access. The attacker can then use the management console's user administration functions to disable or delete other users or unassigned admins outside their authorized group by crafting requests that bypass the intended permission checks.

Impact

Successful exploitation allows an authenticated malicious group admin to disable or delete users and unassigned admins without proper authorization. This can lead to denial of service (loss of access to the management console for affected users) and potential disruption of administrative operations. The CVSS 3.1 base score is 4.9 (Medium), with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. No confidentiality or data integrity impact is listed, as the primary consequence is availability loss.

Mitigation

Dell has released the fix in Wyse Management Suite version 3.8.1 (or later). Users should upgrade to version 3.8.1 or newer, as detailed in Dell advisory DSA-2022-329 [1]. There is no workaround reported for this vulnerability, and upgrading is the recommended mitigation. No known exploitation in the wild has been reported as of publication.