CVE-2026-39920

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

Vulnerability Details

Published Date

April 24, 2026

Last Modified

April 24, 2026

CWE ID

CWE-1188

Source

NVD

Vendor

BridgeHead Software

Product

FileStore

External References

https://axis.apache.org/axis2/java/core/docs/webadminguide.html
https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba
https://issues.apache.org/jira/browse/AXIS2-4279
https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/
https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce

CVE-2026-39920

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment