CVE-2026-39906
Published: 14 April 2026
Summary
CVE-2026-39906 is a high-severity Confused Deputy (CWE-441) vulnerability in Unisys Webperfect Image Suite. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22724
Vulnerability details
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers…
more
can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The exposed .NET Remoting channel enables remote unauthenticated exploitation of a public-facing application (T1190). Supplying a UNC path directly forces NTLM authentication to an attacker server (T1187), enabling hash capture and relay.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.