CVE-2009-0695

Wyse Device Manager 4.7.x - Unauthenticated Remote Command Execution via hagent.exe

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-0695. PoCs published by kf, it.solunium, including Metasploit module exploits/multi/wyse/hagent_untrusted_hsdata.

AI-analyzed exploit summary This Metasploit module exploits CVE-2009-0695 in Wyse Rapport Hagent by impersonating a legitimate server, tricking the target into downloading and executing a malicious payload via FTP. It supports both Windows and Linux targets.

Description

hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.

Exploits (3)

exploitdb WORKING POC VERIFIED

by kf · rubyremotemultiple

https://www.exploit-db.com/exploits/9934

View Code ZIP pw:eip

This Metasploit module exploits CVE-2009-0695 in Wyse Rapport Hagent by impersonating a legitimate server, tricking the target into downloading and executing a malicious payload via FTP. It supports both Windows and Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wyse Rapport Hagent

No auth needed

Prerequisites: Network access to the target's Hagent service · FTP and HTTP services on attacker's machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by it.solunium · rubydoshardware

https://www.exploit-db.com/exploits/19137

View Code ZIP pw:eip

This Metasploit auxiliary module exploits CVE-2009-0695 in the Wyse Rapport Hagent service to remotely power off Wyse machines by sending a crafted request to port 80. It verifies vulnerability by checking for a specific response ('&00').

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Wyse Rapport Hagent service (Wyse Linux x86)

No auth needed

Prerequisites: Network access to target port 80

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb

View Code ZIP pw:eip

This Metasploit module exploits Wyse Rapport Hagent by impersonating a legitimate server, tricking the target into downloading and executing a payload via FTP. It supports both Windows and Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wyse Rapport Hagent (CVE-2009-0695)

No auth needed

Prerequisites: Network access to target · FTP and HTTP services on attacker machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/654545

Third Party Advisory mailing-list x_refsource_fulldisc

http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Various Sources x_refsource_misc

http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/19137/

Scores

EPSS 0.6960

EPSS Percentile 99.3%

Details

CWE

CWE-287

Status published

Products (3)

dell/wyse_device_manager 4.7.0

dell/wyse_device_manager 4.7.1

dell/wyse_device_manager 4.7.2

Published Jun 19, 2012

Tracked Since Feb 18, 2026