CVE-2026-39907 Overview
CVE-2026-39907 is an information disclosure vulnerability affecting Unisys WebPerfect Image Suite that allows remote attackers to leak NTLMv2 machine-account hashes through an unauthenticated WCF SOAP endpoint. The vulnerability exists due to improper input validation (CWE-73: External Control of File Name or Path) in the ReadLicense action's LFName parameter, which accepts unsanitized file paths including UNC paths.
Attackers can exploit this flaw by submitting crafted SOAP requests containing UNC paths to TCP port 1208, forcing the vulnerable server to initiate outbound SMB connections. This results in the exposure of NTLMv2 authentication credentials that can be captured by an attacker-controlled server and subsequently relayed for privilege escalation or lateral movement within the target network.
Critical Impact
Unauthenticated remote attackers can force NTLMv2 credential leakage, enabling credential relay attacks and potential lateral movement across enterprise networks.
Affected Products
- Unisys WebPerfect Image Suite version 3.0.3960.22810
- Unisys WebPerfect Image Suite version 3.0.3960.22604
Discovery Timeline
- April 14, 2026 - CVE CVE-2026-39907 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39907
Vulnerability Analysis
This vulnerability stems from an exposed WCF (Windows Communication Foundation) SOAP endpoint that listens on TCP port 1208 without requiring authentication. The endpoint's ReadLicense action accepts file path input through the LFName parameter, which fails to properly validate or sanitize the input before processing.
The lack of input sanitization allows attackers to inject UNC (Universal Naming Convention) paths such as \\attacker-server\share\file. When the vulnerable application attempts to access the specified path, it initiates an outbound SMB connection to the attacker-controlled server, automatically sending the machine account's NTLMv2 hash as part of the SMB authentication handshake.
The captured NTLMv2 hashes can be leveraged in several attack scenarios including offline password cracking, NTLM relay attacks against other network services, and pass-the-hash techniques for lateral movement.
Root Cause
The root cause is improper external control of file name or path (CWE-73), where the application fails to validate that user-supplied file paths are constrained to local file system resources only. The WCF SOAP endpoint accepts arbitrary path strings without checking for UNC path patterns or restricting access to a safe directory scope.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to TCP port 1208 can directly send malicious SOAP requests to the vulnerable endpoint. The exploitation flow involves:
- The attacker identifies a vulnerable Unisys WebPerfect Image Suite instance with port 1208 exposed
- The attacker sets up an SMB capture server (such as Responder or Impacket's smbserver.py)
- A crafted SOAP request is sent to the ReadLicense action containing a UNC path pointing to the attacker's server
- The vulnerable server attempts to read the file, initiating an SMB connection to the attacker
- The attacker captures the NTLMv2 hash from the SMB authentication attempt
- The hash can then be relayed, cracked, or used in further attacks
For detailed technical analysis and exploitation methodology, refer to the VulnCheck Advisory on Unisys WebPerfect.
Detection Methods for CVE-2026-39907
Indicators of Compromise
- Unexpected outbound SMB connections (TCP port 445) from servers running Unisys WebPerfect Image Suite
- Network traffic to TCP port 1208 from external or untrusted IP addresses
- SOAP requests to the ReadLicense action containing UNC paths or backslash characters in the LFName parameter
- Evidence of NTLM authentication attempts to unknown or external servers in Windows Security Event logs
Detection Strategies
- Monitor network traffic for outbound SMB connections originating from application servers that should not initiate such connections
- Implement intrusion detection rules to identify SOAP requests on port 1208 containing UNC path patterns (e.g., \\ followed by IP addresses or hostnames)
- Review Windows Security Event Log (Event ID 4648) for explicit credential use to unusual or external destinations
- Deploy network segmentation monitoring to detect anomalous east-west traffic following potential credential relay
Monitoring Recommendations
- Configure firewall logging to capture all traffic to and from TCP port 1208
- Implement SIEM correlation rules to alert on combinations of inbound SOAP traffic followed by outbound SMB connections
- Monitor for authentication anomalies where machine accounts authenticate to unexpected services
- Use SentinelOne's Singularity platform to detect and alert on suspicious network behavior and credential access patterns
How to Mitigate CVE-2026-39907
Immediate Actions Required
- Block external network access to TCP port 1208 using perimeter and host-based firewalls
- Restrict outbound SMB traffic (TCP 445) from servers running the vulnerable software to only authorized destinations
- Implement network segmentation to isolate systems running Unisys WebPerfect Image Suite from sensitive network resources
- Enable Extended Protection for Authentication (EPA) and SMB signing where possible to mitigate relay attacks
Patch Information
No official patch information is currently available in the CVE data. Organizations should monitor the Unisys Application Solutions page and the VulnCheck Advisory for updates on vendor remediation.
Workarounds
- Configure Windows Firewall to block inbound connections to TCP port 1208 from untrusted networks
- Block outbound SMB traffic at the network perimeter to prevent hash capture by external attackers
- Consider disabling the WCF SOAP endpoint if the licensing functionality is not required for business operations
- Implement network-level authentication requirements for access to the affected service
# Block inbound traffic to TCP port 1208 (Windows Firewall PowerShell)
New-NetFirewallRule -DisplayName "Block WebPerfect WCF Port" -Direction Inbound -LocalPort 1208 -Protocol TCP -Action Block
# Block outbound SMB to external networks (adjust for internal ranges)
New-NetFirewallRule -DisplayName "Block Outbound SMB External" -Direction Outbound -RemotePort 445 -Protocol TCP -RemoteAddress "!10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16" -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
