CVE-2026-39920

EUVD-2026-25569

24.04.2026, 16:16

BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-1188 - Insecure Default Initialization of Resource
The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

https://axis.apache.org/axis2/java/core/docs/webadminguide.html

https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba

https://issues.apache.org/jira/browse/AXIS2-4279

https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/

https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce