CVE-2026-39920
CRITICAL
NVD
CVSS Score
9.8
Severity
CRITICAL
Published
Apr 24, 2026
Vendor
unknown
Description
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
References
- https://axis.apache.org/axis2/java/core/docs/webadminguide.html
- https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba
- https://issues.apache.org/jira/browse/AXIS2-4279
- https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/
- https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce