EUVD-2026-22724
GHSA-qhm2-fwj3-3r79
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
AnalysisAI
NTLMv2 credential leakage in Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 enables remote unauthenticated attackers to extract machine-account hashes via deprecated .NET Remoting TCP channels, facilitating network-wide lateral movement and privilege escalation through hash relay attacks. Disclosed by VulnCheck, this flaw exploits insecure object deserialization to coerce NTLM authentication to attacker-controlled UNC paths. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all systems running Unisys WebPerfect Image Suite 3.0.3960.22810 or 3.0.3960.22604 and isolate affected servers from production networks if business-critical functionality permits. Within 7 days: contact Unisys for patch availability and timeline; implement network segmentation to restrict legacy .NET Remoting TCP channel access (typically port 9090) to authorized hosts only; enable network-based NTLM relay attack detection. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today