CVE-2009-0695

Published: Jun 19, 2012Modified: Apr 29, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.

Affected (3)

Products: Dell: Wyse Device Manager

Dell

1 product

Wyse Device Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Dell Wyse Device Manager	Version 4.7.0
Dell Wyse Device Manager	Version 4.7.1
Dell Wyse Device Manager	Version 4.7.2

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (10)

http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Source: cret@cert.org

http://www.exploit-db.com/exploits/19137/

Source: cret@cert.org

Exploit

http://www.kb.cert.org/vuls/id/654545

Source: cret@cert.org

US Government Resource

http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/

Source: cret@cert.org

http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf

Source: cret@cert.org

http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html