Home

Description

BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-24 | Updated 2026-04-24 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-1188 Initialization of a Resource with an Insecure Default

CWE-1391 Use of Weak Credentials

Product status

Default status
unaffected

Any version before 24A
affected

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp. finder

VulnCheck coordinator

References

gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba technical-description exploit

www.bridgeheadsoftware.com/...ta-protection-product-updates/ release-notes

issues.apache.org/jira/browse/AXIS2-4279 related

axis.apache.org/axis2/java/core/docs/webadminguide.html related

www.vulncheck.com/...4a-apache-axis2-default-credentials-rce third-party-advisory

cve.org (CVE-2026-39920)

nvd.nist.gov (CVE-2026-39920)

Download JSON