CVE-2026-39906

Analyzed Analyzed - Analysis Complete

NET Remoting Vulnerability in Unisys WebPerfect Leaks NTLMv2 Hashes

Publication date: 2026-04-14

Last updated on: 2026-05-06

Assigner: VulnCheck

Description

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-14

Last Modified

2026-05-06

Generated

2026-06-16

AI Q&A

2026-04-15

EPSS Evaluated

2026-06-15

NVD

CVE-2026-39906

EUVD

EUVD-2026-22724

Affected Vendors & Products

Vendor	Product	Version / Range
unisys	webperfect_image_suite	3.0.3960.22604
unisys	webperfect_image_suite	3.0.3960.22810

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-441	The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CWE ID

Description

CWE-441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604. It involves the exposure of a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes.

Attackers exploit this by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques, which causes the system to leak the NTLMv2 hash.

The leaked NTLMv2 hash can then be captured and relayed to other hosts, enabling attackers to escalate privileges or move laterally within the network depending on the network configuration and patch level.

Impact Analysis

This vulnerability can impact you by allowing remote unauthenticated attackers to obtain NTLMv2 machine-account hashes.

With these hashes, attackers can perform relay attacks to escalate privileges or move laterally across your network.

Such unauthorized access can lead to compromise of sensitive systems, data breaches, and disruption of services depending on your network's security posture and patch status.

Hi! I’m here to help you understand CVE-2026-39906. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-39906

NET Remoting Vulnerability in Unisys WebPerfect Leaks NTLMv2 Hashes

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart