Skip to main content

Microsoft EUVDEUVD-2026-22724

| CVE-2026-39906 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-04-14 disclosure@vulncheck.com GHSA-qhm2-fwj3-3r79
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 22:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22724
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 7.0

DescriptionCVE.org

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.

AnalysisAI

NTLMv2 credential leakage in Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 enables remote unauthenticated attackers to extract machine-account hashes via deprecated .NET Remoting TCP channels, facilitating network-wide lateral movement and privilege escalation through hash relay attacks. Disclosed by VulnCheck, this flaw exploits insecure object deserialization to coerce NTLM authentication to attacker-controlled UNC paths. EPSS data not available; no KEV listing or public exploit code identified at time of analysis, though the disclosed technical details provide sufficient information for weaponization.

Technical ContextAI

The vulnerability stems from CWE-441 (Unintended Proxy or Intermediary), where Unisys WebPerfect Image Suite exposes a legacy .NET Remoting TCP channel-a technology deprecated since .NET Core due to inherent insecurity in binary serialization. The affected software unmarshals attacker-supplied objects containing Windows UNC paths (e.g., \\attacker-controlled-server\share\file), triggering automatic NTLM authentication from the server's machine account to the attacker's SMB listener. This architectural flaw combines unsafe deserialization with NTLM's challenge-response mechanism, where Windows automatically authenticates when accessing remote UNC paths. The leaked NTLMv2 hashes can be relayed using tools like ntlmrelayx or Responder to authenticate against other SMB, HTTP, or LDAP services without cracking, particularly effective against hosts lacking SMB signing enforcement or EPA (Extended Protection for Authentication).

RemediationAI

No vendor-released patch identified at time of analysis. Organizations should immediately isolate affected Unisys WebPerfect Image Suite servers from untrusted networks using network segmentation or firewall rules blocking access to the .NET Remoting TCP port (typically 8080 or custom configured ports). Disable the deprecated .NET Remoting channel if the feature is non-essential to operations. Implement SMB signing enforcement and Extended Protection for Authentication (EPA) across the Windows domain to prevent NTLM relay attacks even if hashes leak. Monitor for unusual UNC path access attempts in application logs and network traffic to SMB ports 445/139 from application servers. Contact Unisys support referencing CVE-2026-39906 for patch availability timelines. Review the VulnCheck advisory at https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting for additional technical mitigation strategies.

Share

EUVD-2026-22724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy