BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE

Advisories

severity: critical
date: 4/24/2026
Affecting: FileStore < 24A
CVE: CVE-2026-39920
CWE: CWE-1188 Initialization of a Resource with an Insecure Default
CWE-1391 Use of Weak Credentials
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Researcher Disclosure
Product Webpage
Apache AXIS2 Issue
Apache Documentation
Credit: Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.
Description: BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo