{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39920", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.210Z", "datePublished": "2026-04-24T15:48:26.059Z", "dateUpdated": "2026-04-24T18:17:02.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T15:48:26.059Z"}, "title": "BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1188", "description": "CWE-1188 Initialization of a Resource with an Insecure Default", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-1391", "description": "CWE-1391 Use of Weak Credentials", "type": "CWE"}]}], "affected": [{"vendor": "BridgeHead Software", "product": "FileStore", "versions": [{"status": "affected", "version": "0", "lessThan": "24A", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.<br>"}]}], "references": [{"url": "https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba", "tags": ["technical-description", "exploit"]}, {"url": "https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/", "tags": ["release-notes"]}, {"url": "https://issues.apache.org/jira/browse/AXIS2-4279", "tags": ["related"]}, {"url": "https://axis.apache.org/axis2/java/core/docs/webadminguide.html", "tags": ["related"]}, {"url": "https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:25:34.553059Z", "id": "CVE-2026-39920", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:17:02.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39920", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T17:25:34.553059Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:26:00.534Z"}}], "cna": {"title": "BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "BridgeHead Software", "product": "FileStore", "versions": [{"status": "affected", "version": "0", "lessThan": "24A", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba", "tags": ["technical-description", "exploit"]}, {"url": "https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/", "tags": ["release-notes"]}, {"url": "https://issues.apache.org/jira/browse/AXIS2-4279", "tags": ["related"]}, {"url": "https://axis.apache.org/axis2/java/core/docs/webadminguide.html", "tags": ["related"]}, {"url": "https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.", "supportingMedia": [{"type": "text/html", "value": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Initialization of a Resource with an Insecure Default"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1391", "description": "CWE-1391 Use of Weak Credentials"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T15:48:26.059Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39920", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:17:02.370Z", "dateReserved": "2026-04-07T20:57:06.210Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-24T15:48:26.059Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service."}], "id": "CVE-2026-39920", "lastModified": "2026-04-24T17:55:55.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-24T16:16:36.267", "references": [{"source": "disclosure@vulncheck.com", "url": "https://axis.apache.org/axis2/java/core/docs/webadminguide.html"}, {"source": "disclosure@vulncheck.com", "url": "https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba"}, {"source": "disclosure@vulncheck.com", "url": "https://issues.apache.org/jira/browse/AXIS2-4279"}, {"source": "disclosure@vulncheck.com", "url": "https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}, {"lang": "en", "value": "CWE-1391"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,24A)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FileStore", "source": "cna", "vendor": "BridgeHead Software"}, "product": "filestore", "vendor": "bridgehead_software"}], "analysis": {"en": {"generated_at": "2026-04-28T06:03:52.929368+00:00", "value": {"mitigation_remediation": ["Upgrade BridgeHead FileStore to version 24A or later, which removes the exposed administration module and eliminates default credentials.", "If an upgrade is not immediately possible, block external network access to the Axis2 administration endpoint or restrict it to a trusted internal network segment.", "Change the default administrator username and password to a strong, unique credential and enforce a password policy that requires complexity and periodic rotation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via default credentials"}, "threat_synthesis": {"affected_systems": "BridgeHead Software FileStore versions prior to 24A. The affected product uses the Apache Axis2 framework for its administration console, and the security issue is present in all instances of the product released before the 24A update.", "description_and_impact": "BridgeHead FileStore versions earlier than 24A expose the Apache Axis2 administration module on network\u2011accessible endpoints. Attackers can log in with the hard\u2011coded default credentials, upload a malicious Java archive as a web service, and then issue SOAP requests that cause the host to execute arbitrary OS commands. The vulnerability stems from insecure default authentication (CWE\u20111188) and remote code execution via web services (CWE\u20111391). The impact includes full compromise of confidentiality, integrity, and availability on the affected system, as the attacker can run any command with the privileges of the service process.", "risk_and_exploitability": "The CVSS score of 9.3 places this issue in the critical severity range. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is network\u2011based, requiring an unauthenticated user to access the exposed administration endpoint, which is typically reachable from external IP addresses. The existence of default credentials is a prerequisite for exploitation, and no additional setup beyond remote access is described in the advisory."}}}}, "created": "2026-04-27T19:52:54.628592+00:00", "updated": "2026-04-28T06:15:24.139321+00:00", "vendors": ["bridgehead_software", "bridgehead_software$PRODUCT$filestore"]}