Skip to main content

Webperfect Image Suite CVE-2026-39907

| EUVDEUVD-2026-22726 HIGH
External Control of File Name or Path (CWE-73)
2026-04-14 disclosure@vulncheck.com GHSA-8jpv-7gww-9r9j
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 22:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22726
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 7.0

DescriptionCVE.org

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.

AnalysisAI

Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 leak NTLMv2 machine-account hashes through an unauthenticated SOAP endpoint on TCP port 1208, enabling remote attackers to force SMB authentication attempts and relay credentials for privilege escalation or lateral movement. The WCF service accepts unsanitized file paths in the ReadLicense action, allowing UNC path injection to trigger outbound SMB connections. CVSS 7.0 with network attack vector, low complexity, and no authentication required (PR:N). No public exploit code identified at time of analysis, though the attack technique is straightforward for adversaries familiar with NTLM relay tactics.

Technical ContextAI

The vulnerability resides in a Windows Communication Foundation (WCF) SOAP service exposing a ReadLicense action that processes file paths via the LFName parameter. The underlying flaw (CWE-73: External Control of File Name or Path) occurs when the application fails to sanitize user-supplied input before using it in file system operations. When an attacker provides a UNC path (e.g., \\attacker-server\share\file), Windows automatically initiates SMB authentication to the remote server, transmitting NTLMv2 hashes of the machine account running the service. This is a Server Message Block (SMB) coercion vulnerability pattern commonly exploited in Windows environments. The service listens on TCP 1208, providing a remotely accessible attack surface without authentication barriers. The CVSS 4.0 vector indicates low attack complexity (AC:L) and present attack requirements (AT:P), suggesting attackers need specific environmental conditions or timing but minimal technical sophistication once access to port 1208 is achieved.

RemediationAI

Contact Unisys support immediately to obtain patched versions of WebPerfect Image Suite addressing the unsanitized path handling in the WCF SOAP endpoint. No vendor-released patch version independently confirmed from available data at time of analysis-consult Unisys advisories or support channels referenced at https://www.unisys.com/solutions/cai/applications/ for update availability. As immediate mitigation, restrict network access to TCP port 1208 using firewall rules to permit only trusted management systems or disable the WCF service if not operationally required. Implement SMB signing enforcement (required, not just enabled) across the Windows environment to prevent NTLM relay attacks even if hashes are leaked. Deploy Extended Protection for Authentication (EPA) on SMB services to bind authentication to TLS channels. Monitor outbound SMB connections from WebPerfect Image Suite servers to detect exploitation attempts. Consider network segmentation to isolate document management systems from high-value targets accessible via relayed credentials. Apply principle of least privilege to service accounts running the WCF endpoint to limit lateral movement impact.

Share

CVE-2026-39907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy