Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.
AnalysisAI
Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 leak NTLMv2 machine-account hashes through an unauthenticated SOAP endpoint on TCP port 1208, enabling remote attackers to force SMB authentication attempts and relay credentials for privilege escalation or lateral movement. The WCF service accepts unsanitized file paths in the ReadLicense action, allowing UNC path injection to trigger outbound SMB connections. CVSS 7.0 with network attack vector, low complexity, and no authentication required (PR:N). No public exploit code identified at time of analysis, though the attack technique is straightforward for adversaries familiar with NTLM relay tactics.
Technical ContextAI
The vulnerability resides in a Windows Communication Foundation (WCF) SOAP service exposing a ReadLicense action that processes file paths via the LFName parameter. The underlying flaw (CWE-73: External Control of File Name or Path) occurs when the application fails to sanitize user-supplied input before using it in file system operations. When an attacker provides a UNC path (e.g., \\attacker-server\share\file), Windows automatically initiates SMB authentication to the remote server, transmitting NTLMv2 hashes of the machine account running the service. This is a Server Message Block (SMB) coercion vulnerability pattern commonly exploited in Windows environments. The service listens on TCP 1208, providing a remotely accessible attack surface without authentication barriers. The CVSS 4.0 vector indicates low attack complexity (AC:L) and present attack requirements (AT:P), suggesting attackers need specific environmental conditions or timing but minimal technical sophistication once access to port 1208 is achieved.
RemediationAI
Contact Unisys support immediately to obtain patched versions of WebPerfect Image Suite addressing the unsanitized path handling in the WCF SOAP endpoint. No vendor-released patch version independently confirmed from available data at time of analysis-consult Unisys advisories or support channels referenced at https://www.unisys.com/solutions/cai/applications/ for update availability. As immediate mitigation, restrict network access to TCP port 1208 using firewall rules to permit only trusted management systems or disable the WCF service if not operationally required. Implement SMB signing enforcement (required, not just enabled) across the Windows environment to prevent NTLM relay attacks even if hashes are leaked. Deploy Extended Protection for Authentication (EPA) on SMB services to bind authentication to TLS channels. Monitor outbound SMB connections from WebPerfect Image Suite servers to detect exploitation attempts. Consider network segmentation to isolate document management systems from high-value targets accessible via relayed credentials. Apply principle of least privilege to service accounts running the WCF endpoint to limit lateral movement impact.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22726
GHSA-8jpv-7gww-9r9j