Cyber Resilience

CVE-2026-39906

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 47.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39906 is a high-severity Confused Deputy (CWE-441) vulnerability in Unisys Webperfect Image Suite. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers…

more

can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Why these techniques?

The exposed .NET Remoting channel enables remote unauthenticated exploitation of a public-facing application (T1190). Supplying a UNC path directly forces NTLM authentication to an attacker server (T1187), enabling hash capture and relay.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39907Same product: Unisys Webperfect Image Suite
CVE-2025-48646Shared CWE-441
CVE-2025-48570Shared CWE-441
CVE-2026-36608Shared CWE-441
CVE-2026-24470Shared CWE-441
CVE-2025-62718Shared CWE-441
CVE-2023-31313Shared CWE-441
CVE-2026-33768Shared CWE-441
CVE-2026-0098Shared CWE-441
CVE-2026-0107Shared CWE-441

Affected Assets

unisys
webperfect image suite
3.0.3960.22604, 3.0.3960.22810

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-441

Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.

References