{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39906", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.209Z", "datePublished": "2026-04-14T21:21:21.739Z", "dateUpdated": "2026-05-14T16:06:18.439Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:09:12.494Z"}, "title": "Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting", "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level."}], "datePublic": "2026-04-15T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-441", "description": "Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE"}]}], "affected": [{"vendor": "Unisys", "product": "WebPerfect Image Suite", "versions": [{"status": "affected", "version": "3.0.3960.22810", "versionType": "custom"}, {"status": "affected", "version": "3.0.3960.22604", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"}}], "references": [{"url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129", "tags": ["technical-description", "exploit"]}, {"url": "https://www.unisys.com/solutions/cai/applications/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "timeline": [{"time": "2025-12-15T17:00:00.000Z", "lang": "en", "value": "VulnCheck, as the third-party coordinator and intermediary, initiated outreach to Unisys and other potentially-related entities."}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:50:39.653259Z", "id": "CVE-2026-39906", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T16:06:18.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T13:50:39.653259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:50:48.894Z"}}], "cna": {"title": "Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Unisys", "product": "WebPerfect Image Suite", "versions": [{"status": "affected", "version": "3.0.3960.22810", "versionType": "custom"}, {"status": "affected", "version": "3.0.3960.22604", "versionType": "custom"}], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2025-12-15T17:00:00.000Z", "value": "VulnCheck, as the third-party coordinator and intermediary, initiated outreach to Unisys and other potentially-related entities."}], "datePublic": "2026-04-15T00:00:00.000Z", "references": [{"url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129", "tags": ["technical-description", "exploit"]}, {"url": "https://www.unisys.com/solutions/cai/applications/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-441", "description": "Unintended Proxy or Intermediary ('Confused Deputy')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:09:12.494Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39906", "state": "PUBLISHED", "dateUpdated": "2026-05-14T16:06:18.439Z", "dateReserved": "2026-04-07T20:57:06.209Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-14T21:21:21.739Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22604:*:*:*:*:*:*:*", "matchCriteriaId": "2ED91360-B253-45DB-B64B-AAEDC759632D", "vulnerable": true}, {"criteria": "cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22810:*:*:*:*:*:*:*", "matchCriteriaId": "77C6202C-EF3F-4D52-A435-308B8BFC007B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level."}], "id": "CVE-2026-39906", "lastModified": "2026-05-06T14:38:44.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:32.160", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.unisys.com/solutions/cai/applications/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-441"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0.3960.22810"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0.3960.22604"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WebPerfect Image Suite", "source": "cna", "vendor": "Unisys"}, "product": "webperfect_image_suite", "vendor": "unisys"}], "analysis": {"en": {"generated_at": "2026-04-14T22:22:49.732131+00:00", "value": {"mitigation_remediation": ["Upgrade Unisys WebPerfect Image Suite to a version that removes the deprecated .NET Remoting TCP channel and addresses the NTLM hash leakage.", "If an immediate patch is not available, disable the .NET Remoting TCP channel in the application configuration or block the port with a firewall rule to prevent remote access to the vulnerable service.", "Restrict network access to the WebPerfect service to trusted hosts only, segment the network to limit lateral movement, and monitor NTLM authentication logs for anomalous relay activity."], "summary": {"action": "Immediate Patch", "impact": "NTLMv2 hash leakage leading to potential privilege escalation and lateral movement"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Unisys WebPerfect Image Suite version 3.0.3960.22810 and 3.0.3960.22604. No other versions are listed in the CNA data, so administrators should verify the exact build they run against these identifiers.", "description_and_impact": "Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 allow a remote attacker to exploit a deprecated .NET Remoting TCP channel. By supplying a Windows UNC path as a target file argument, the service performs object-unmarshalling that leaks NTLMv2 machine\u2011account hashes. The attacker can capture the hash and use it for relay attacks, enabling privilege escalation or lateral movement on the network. The root weakness is an insecure legacy .NET Remoting implementation that causes sensitive credential exposure.", "risk_and_exploitability": "The CVSS score is 7.0, indicating a high impact vulnerability. The exploit probability is not available, but the lack of EPSS data suggests the attack is not widely automated yet. The vulnerability is not in the CISA KEV catalog, reducing the immediacy of known exploitation. Attackers need remote network access to the .NET Remoting endpoint, are unauthenticated, and must craft a UNC path payload, which suggests that lateral movement detection and proper network segmentation can mitigate risk."}}}}, "created": "2026-04-15T14:31:57.036136+00:00", "updated": "2026-04-15T14:53:55.904974+00:00", "vendors": ["unisys", "unisys$PRODUCT$webperfect_image_suite"]}