CVE-2026-39906
CRITICALUnisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting
Title source: cnaDescription
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
References (3)
Core 3
Core References
Exploit technical-description
exploit
https://gist.github.com/VAMorales/be3e4ed472c51794493c1256cce16129
Product product
https://www.unisys.com/solutions/cai/applications/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting
Scores
CVSS v3
10.0
EPSS
0.0069
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-441
Status
published
Products (4)
Unisys/WebPerfect Image Suite
3.0.3960.22604
Unisys/WebPerfect Image Suite
3.0.3960.22810
unisys/webperfect_image_suite
3.0.3960.22604
unisys/webperfect_image_suite
3.0.3960.22810
Published
Apr 14, 2026
Tracked Since
Apr 15, 2026