{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39907", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.209Z", "datePublished": "2026-04-14T21:21:43.564Z", "dateUpdated": "2026-05-08T14:08:59.292Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:59.292Z"}, "title": "Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via WCF SOAP", "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network."}], "datePublic": "2026-04-15T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "External Control of File Name or Path", "type": "CWE"}]}], "affected": [{"vendor": "Unisys", "product": "WebPerfect Image Suite", "versions": [{"status": "affected", "version": "3.0.3960.22810", "versionType": "custom"}, {"status": "affected", "version": "3.0.3960.22604", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N"}}], "references": [{"url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129", "tags": ["technical-description", "exploit"]}, {"url": "https://www.unisys.com/solutions/cai/applications/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-wcf-soap", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "timeline": [{"time": "2025-12-15T17:00:00.000Z", "lang": "en", "value": "VulnCheck, as the third-party coordinator and intermediary, initiated outreach to Unisys and other potentially-related entities."}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:34:32.113227Z", "id": "CVE-2026-39907", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:34:53.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:34:32.113227Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:34:48.766Z"}}], "cna": {"title": "Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via WCF SOAP", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Unisys", "product": "WebPerfect Image Suite", "versions": [{"status": "affected", "version": "3.0.3960.22810", "versionType": "custom"}, {"status": "affected", "version": "3.0.3960.22604", "versionType": "custom"}], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2025-12-15T17:00:00.000Z", "value": "VulnCheck, as the third-party coordinator and intermediary, initiated outreach to Unisys and other potentially-related entities."}], "datePublic": "2026-04-15T00:00:00.000Z", "references": [{"url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129", "tags": ["technical-description", "exploit"]}, {"url": "https://www.unisys.com/solutions/cai/applications/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-wcf-soap", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:59.292Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39907", "state": "PUBLISHED", "dateUpdated": "2026-05-08T14:08:59.292Z", "dateReserved": "2026-04-07T20:57:06.209Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-14T21:21:43.564Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22604:*:*:*:*:*:*:*", "matchCriteriaId": "2ED91360-B253-45DB-B64B-AAEDC759632D", "vulnerable": true}, {"criteria": "cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22810:*:*:*:*:*:*:*", "matchCriteriaId": "77C6202C-EF3F-4D52-A435-308B8BFC007B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network."}], "id": "CVE-2026-39907", "lastModified": "2026-05-06T14:30:17.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:32.340", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.unisys.com/solutions/cai/applications/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-wcf-soap"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0.3960.22810"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0.3960.22604"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WebPerfect Image Suite", "source": "cna", "vendor": "Unisys"}, "product": "webperfect_image_suite", "vendor": "unisys"}], "analysis": {"en": {"generated_at": "2026-04-14T22:22:36.512769+00:00", "value": {"mitigation_remediation": ["Check the Unisys product website for an updated release or vendor\u2011issued patch that closes the WCF SOAP input validation flaw.", "If a patch is not available, disable or tightly restrict access to the SOAP endpoint on port 1208, limiting it to trusted hosts only.", "Block outbound SMB traffic from the WebPerfect server to external or untrusted destinations to prevent hash transmission.", "Monitor network logs and the application\u2019s event logs for unexpected SMB connections or license read attempts, and investigate any anomalous activity promptly."], "summary": {"action": "Apply Patch", "impact": "Credential Leakage via NTLMv2 Hash Retrieval"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Unisys WebPerfect Image Suite product. Specifically, the impacted releases are 3.0.3960.22810 and 3.0.3960.22604. These versions include the unauthenticated WCF SOAP endpoint on port 1208, which is required for exploitation.", "description_and_impact": "Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a WCF SOAP endpoint listening on TCP port 1208 that accepts an unsanitized file path. By submitting a crafted SOAP request containing an UNC path to the ReadLicense action, a remote attacker can cause the server to initiate an outbound SMB connection. The SMB authentication process then transmits NTLMv2 machine\u2011account hashes, which the attacker can capture. This flaw allows an unauthenticated attacker to obtain potentially privileged credentials that could be relayed for lateral movement or privilege escalation within the network. The weakness is a classic example of external input used to construct a system path, classified as CWE\u201173.", "risk_and_exploitability": "The CVSS score is 7, indicating moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote over the network, where an attacker submits a malware\u2011injected SOAP request to the exposed endpoint. Because authentication is not required, any host with network access to port 1208 can trigger the hash leakage. Given the medium\u2011high CVSS and the potential for compromised credentials, the risk to an environment that hosts the affected product is significant, especially if SMB traffic is allowed to external or untrusted networks."}}}}, "created": "2026-04-15T14:31:57.035842+00:00", "updated": "2026-04-15T14:53:54.690968+00:00", "vendors": ["unisys", "unisys$PRODUCT$webperfect_image_suite"]}