Description
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.
Published: 2026-04-14
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Leakage via NTLMv2 Hash Retrieval
Action: Apply Patch
AI Analysis

Impact

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a WCF SOAP endpoint listening on TCP port 1208 that accepts an unsanitized file path. By submitting a crafted SOAP request containing an UNC path to the ReadLicense action, a remote attacker can cause the server to initiate an outbound SMB connection. The SMB authentication process then transmits NTLMv2 machine‑account hashes, which the attacker can capture. This flaw allows an unauthenticated attacker to obtain potentially privileged credentials that could be relayed for lateral movement or privilege escalation within the network. The weakness is a classic example of external input used to construct a system path, classified as CWE‑73.

Affected Systems

The vulnerability affects the Unisys WebPerfect Image Suite product. Specifically, the impacted releases are 3.0.3960.22810 and 3.0.3960.22604. These versions include the unauthenticated WCF SOAP endpoint on port 1208, which is required for exploitation.

Risk and Exploitability

The CVSS score is 7, indicating moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote over the network, where an attacker submits a malware‑injected SOAP request to the exposed endpoint. Because authentication is not required, any host with network access to port 1208 can trigger the hash leakage. Given the medium‑high CVSS and the potential for compromised credentials, the risk to an environment that hosts the affected product is significant, especially if SMB traffic is allowed to external or untrusted networks.

Generated by OpenCVE AI on April 14, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Unisys product website for an updated release or vendor‑issued patch that closes the WCF SOAP input validation flaw.
  • If a patch is not available, disable or tightly restrict access to the SOAP endpoint on port 1208, limiting it to trusted hosts only.
  • Block outbound SMB traffic from the WebPerfect server to external or untrusted destinations to prevent hash transmission.
  • Monitor network logs and the application’s event logs for unexpected SMB connections or license read attempts, and investigate any anomalous activity promptly.

Generated by OpenCVE AI on April 14, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22604:*:*:*:*:*:*:*
cpe:2.3:a:unisys:webperfect_image_suite:3.0.3960.22810:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Unisys
Unisys webperfect Image Suite
Vendors & Products Unisys
Unisys webperfect Image Suite

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.
Title Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via WCF SOAP
Weaknesses CWE-73
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Unisys Webperfect Image Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T14:40:58.937Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39907

cve-icon Vulnrichment

Updated: 2026-04-15T17:34:48.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:32.340

Modified: 2026-05-06T14:30:17.727

Link: CVE-2026-39907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:54Z

Weaknesses