Wyse Management Suite 3.8 and below contain an improper access control vulnerability with which an custom group admin can create a subgroup under a group for which the admin is not authorized.