CVE-2026-39906
Published: 14 April 2026
Summary
CVE-2026-39906 is a critical-severity Confused Deputy (CWE-441) vulnerability in Unisys Webperfect Image Suite. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The exposed .NET Remoting channel enables remote unauthenticated exploitation of a public-facing application (T1190). Supplying a UNC path directly forces NTLM authentication to an attacker server (T1187), enabling hash capture and relay.
NVD Description
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers…
more
can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)