CVE-2026-40713: Dell ThinOS 10 Improper Access Control – Patch Guide
Dell ThinOS 10 devices running versions before 2602_10.0765 have a flaw that allows someone with physical access to the device—without needing to log in—to view sensitive information stored on it. This is a medium-severity issue because it requires hands-on access to the hardware, but once someone has that access, the controls meant to protect data don't work properly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access control vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information exposure.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40713 is an improper access control vulnerability (CWE-284) in Dell ThinOS 10 that permits unauthenticated physical access to bypass authentication mechanisms and retrieve confidential data. The vulnerability affects all ThinOS 10 releases prior to version 2602_10.0765. The CVSS 3.1 score of 6.1 (MEDIUM) reflects the physical attack vector requirement, though both confidentiality and integrity are rated high once the device is physically compromised.
Business impact
For organizations deploying Dell ThinOS 10 thin clients—particularly in shared or less-secure physical environments—this vulnerability poses a data exposure risk. An attacker with brief physical possession of a device could extract cached credentials, session data, or other sensitive information without authentication. In scenarios where ThinOS devices are deployed in public areas, kiosks, or high-turnover environments, remediation should be prioritized to prevent credential compromise and lateral movement into downstream systems.
Affected systems
Dell ThinOS 10 is affected. Organizations should inventory devices currently running ThinOS 10 versions prior to 2602_10.0765. Check your Dell asset management systems or device telemetry to confirm patch status. No other ThinOS versions or Dell operating systems are mentioned in this advisory.
Exploitability
While the vulnerability does not require user authentication or network access, exploitation mandates physical possession of the device. This meaningfully limits real-world attack surface compared to remote exploits, but does not eliminate risk—particularly in high-traffic facilities or supply chain scenarios. The attack is straightforward once physical access is obtained; no special skills or complex tooling are implied. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
Remediation
Update Dell ThinOS 10 devices to version 2602_10.0765 or later. Verify the patch version through Dell's system management tools or by querying device firmware directly. For devices that cannot be immediately patched, strengthen physical security controls: restrict device access, enable full-disk encryption at the ThinOS firmware level if available, and consider placing devices in locked or monitored areas.
Patch guidance
Obtain the ThinOS 10 2602_10.0765 release or later from Dell's support portal or Dell's update management service. If you use Dell's centralized device management solution, consult your Dell representative for guidance on remote firmware deployment. Test patches in a non-production environment first to confirm compatibility with your deployment and applications. Verify applied patches by checking device firmware version after update; consult Dell's advisory for the definitive patch verification method.
Detection guidance
Review device inventory reports and firmware version lists for any ThinOS 10 instances running versions prior to 2602_10.0765. If forensic investigation is warranted, examine device access logs (if available on ThinOS 10) for any unauthorized local sessions or unusual activity correlating with the vulnerability window. Monitor for unusual data exfiltration or credential misuse on systems that receive traffic from potentially affected ThinOS 10 devices.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The physical access requirement substantially reduces real-world exploitability in most enterprise environments. However, organizations with ThinOS devices in publicly accessible or physically unsecured locations should prioritize remediation to prevent credential theft and lateral movement. The medium CVSS score and lack of known active exploitation support a measured, risk-based rollout rather than an emergency response.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects a medium-severity vulnerability driven primarily by the high confidentiality and integrity impact ratings balanced against the requirement for physical device proximity. The attack complexity is low and no privileges are required once physical access is gained, but the attack vector being physical—rather than adjacent or network—significantly caps the severity. Organizations in environments where physical device security is well-controlled may assess local risk as lower; those in open-access settings should weight the risk higher.
Frequently asked questions
Do I need to patch ThinOS devices that are behind locked cabinets or in physically secure data centers?
Physical security controls reduce but do not eliminate risk, particularly if facilities host multiple tenants, contractors, or cleaning staff with varying access levels. Patching remains the definitive remediation and should be prioritized according to your physical security posture and data sensitivity. Relying solely on physical security without patching leaves residual risk.
Can this vulnerability be exploited remotely?
No. The vulnerability explicitly requires physical access to the device. Remote exploitation is not possible based on the current advisory. Network-based attacks cannot trigger this vulnerability.
Does Dell offer automated patch deployment for ThinOS 10?
Consult Dell's management and administration documentation or your Dell support contact for details on centralized update mechanisms. If you use Dell's UEM or firmware management service, ask your vendor representative for guidance on scheduled rollout procedures and rollback contingencies.
What data is at risk if someone gains physical access?
The advisory indicates information exposure is the primary risk; specific data types (credentials, session tokens, user files) are not detailed. Assume that any data cached in RAM, on the boot partition, or in temporary storage could be at risk. Organizations should evaluate the sensitivity of data processed on affected ThinOS devices and prioritize patching accordingly.
This analysis is based on the CVE record and CVSS vector published as of the advisory date. Specific patch availability, deployment procedures, and supported platforms should be verified directly with Dell's security advisories and support documentation. SEC.co makes no warranty as to the completeness, accuracy, or applicability of this analysis for your specific environment. Organizations should conduct their own risk assessment and testing before deploying patches. This document does not constitute legal, compliance, or vendor support advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40715HIGHDell ThinOS 10 Privilege Escalation Vulnerability
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy