Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting

Advisories

Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting

severity: high
date: 4/14/2026
Affecting: WebPerfect Image Suite v3.0.3960.22810, 3.0.3960.22604
An affected version range remains undefined
CVE: CVE-2026-39906
CWE: CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
CVSS: 7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N
References: Unisys Product Page
Credit: Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.
Description: Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo