CVE-2026-39920
BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE
In short
BridgeHead FileStore versions before 24A leave Apache Axis2 admin tools accessible online with default passwords, letting attackers upload malicious files and run any command on the server without permission.
Technical detail
An unauthenticated attacker can exploit default credentials to access the Apache Axis2 admin console on network-exposed BridgeHead FileStore instances prior to 24A, upload a malicious Java archive as a web service, and execute arbitrary OS commands via SOAP requests, leading to full system compromise.
Summary generated and translated by AI from the official description.
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
BridgeHead Software · FileStorepublic PoCs found — 1
cve_referencegist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3baunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://axis.apache.org/axis2/java/core/docs/webadminguide.htmlhttps://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3bahttps://issues.apache.org/jira/browse/AXIS2-4279https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce