Description
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
Published: 2026-04-14
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: NTLMv2 hash leakage leading to potential privilege escalation and lateral movement
Action: Immediate Patch
AI Analysis

Impact

Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 allow a remote attacker to exploit a deprecated .NET Remoting TCP channel. By supplying a Windows UNC path as a target file argument, the service performs object-unmarshalling that leaks NTLMv2 machine‑account hashes. The attacker can capture the hash and use it for relay attacks, enabling privilege escalation or lateral movement on the network. The root weakness is an insecure legacy .NET Remoting implementation that causes sensitive credential exposure.

Affected Systems

The vulnerability affects Unisys WebPerfect Image Suite version 3.0.3960.22810 and 3.0.3960.22604. No other versions are listed in the CNA data, so administrators should verify the exact build they run against these identifiers.

Risk and Exploitability

The CVSS score is 7.0, indicating a high impact vulnerability. The exploit probability is not available, but the lack of EPSS data suggests the attack is not widely automated yet. The vulnerability is not in the CISA KEV catalog, reducing the immediacy of known exploitation. Attackers need remote network access to the .NET Remoting endpoint, are unauthenticated, and must craft a UNC path payload, which suggests that lateral movement detection and proper network segmentation can mitigate risk.

Generated by OpenCVE AI on April 14, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Unisys WebPerfect Image Suite to a version that removes the deprecated .NET Remoting TCP channel and addresses the NTLM hash leakage.
  • If an immediate patch is not available, disable the .NET Remoting TCP channel in the application configuration or block the port with a firewall rule to prevent remote access to the vulnerable service.
  • Restrict network access to the WebPerfect service to trusted hosts only, segment the network to limit lateral movement, and monitor NTLM authentication logs for anomalous relay activity.

Generated by OpenCVE AI on April 14, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22604:*:*:*:*:*:*:*
cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22810:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Unisys
Unisys webperfect Image Suite
Vendors & Products Unisys
Unisys webperfect Image Suite

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
Title Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting
Weaknesses CWE-441
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Unisys Webperfect Image Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T14:38:47.738Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39906

cve-icon Vulnrichment

Updated: 2026-04-16T13:50:48.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:32.160

Modified: 2026-05-06T14:38:44.533

Link: CVE-2026-39906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:55Z

Weaknesses