Cyber Resilience

CVE-2026-39907

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 44.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39907 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Unisys Webperfect Image Suite. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 contain an unauthenticated WCF SOAP endpoint listening on TCP port 1208. The ReadLicense action accepts an unsanitized LFName parameter that accepts arbitrary file paths, a flaw consistent with CWE-73. This permits remote attackers to supply UNC paths that cause the service to initiate outbound SMB connections and disclose NTLMv2 hashes for the machine account.

An attacker with network access to the endpoint can send crafted SOAP requests containing attacker-controlled UNC paths. The resulting SMB authentication attempts expose reusable NTLMv2 credentials that may be relayed to other systems for privilege escalation or lateral movement inside the target environment. The published CVSS 7.0 rating reflects network attack vector, low complexity, and high subsequent impact on confidentiality and integrity of other systems.

Public references include a technical gist, the vendor product page, and a VulnCheck advisory that document the exposure but do not detail available patches or configuration workarounds. The associated EPSS score remains flat at 0.0104 with no observed increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account…

more

hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Why these techniques?

Unauthenticated public WCF endpoint (T1190) accepts unsanitized UNC paths that force outbound SMB authentication (T1187), leaking NTLM hashes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39906Same product: Unisys Webperfect Image Suite
CVE-2025-65473Shared CWE-73
CVE-2025-10134Shared CWE-73
CVE-2026-40370Shared CWE-73
CVE-2025-65115Shared CWE-73
CVE-2024-12267Shared CWE-73
CVE-2025-9048Shared CWE-73
CVE-2025-66254Shared CWE-73
CVE-2026-26360Shared CWE-73
CVE-2025-10058Shared CWE-73

Affected Assets

unisys
webperfect image suite
3.0.3960.22604, 3.0.3960.22810

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unauthenticated access to the WCF endpoint on TCP 1208, stopping crafted SOAP requests before they can supply UNC paths.

prevent

Requires validation of the LFName parameter to reject UNC paths and external file references, eliminating the vector that triggers outbound SMB authentication.

prevent

Restricts exposure of the internal WCF port and can enforce egress filtering to block or monitor unexpected outbound SMB connections to attacker-controlled hosts.

References