CVE-2026-39907
Published: 14 April 2026
Summary
CVE-2026-39907 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Unisys Webperfect Image Suite. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 contain an unauthenticated WCF SOAP endpoint listening on TCP port 1208. The ReadLicense action accepts an unsanitized LFName parameter that accepts arbitrary file paths, a flaw consistent with CWE-73. This permits remote attackers to supply UNC paths that cause the service to initiate outbound SMB connections and disclose NTLMv2 hashes for the machine account.
An attacker with network access to the endpoint can send crafted SOAP requests containing attacker-controlled UNC paths. The resulting SMB authentication attempts expose reusable NTLMv2 credentials that may be relayed to other systems for privilege escalation or lateral movement inside the target environment. The published CVSS 7.0 rating reflects network attack vector, low complexity, and high subsequent impact on confidentiality and integrity of other systems.
Public references include a technical gist, the vendor product page, and a VulnCheck advisory that document the exposure but do not detail available patches or configuration workarounds. The associated EPSS score remains flat at 0.0104 with no observed increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22726
Vulnerability details
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account…
more
hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated public WCF endpoint (T1190) accepts unsanitized UNC paths that force outbound SMB authentication (T1187), leaking NTLM hashes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks unauthenticated access to the WCF endpoint on TCP 1208, stopping crafted SOAP requests before they can supply UNC paths.
Requires validation of the LFName parameter to reject UNC paths and external file references, eliminating the vector that triggers outbound SMB authentication.
Restricts exposure of the internal WCF port and can enforce egress filtering to block or monitor unexpected outbound SMB connections to attacker-controlled hosts.