CVE-2026-39920

CVE-2026-39920 is a critical remote code execution vulnerability affecting BridgeHead FileStore versions prior to 24A, released in early 2024. The issue stems from the exposure of the Apache Axis2 administration module on network-accessible endpoints using default credentials. This configuration allows unauthenticated remote attackers to gain access and execute arbitrary operating system commands, as mapped to CWEs-1188 (Insecure Default Initialization of Resource) and CWE-1391 (Use of Weak Credentials). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Any unauthenticated attacker with network access to the affected BridgeHead FileStore instance can exploit this vulnerability. The attack begins with authenticating to the Axis2 admin console using the default credentials, followed by uploading a malicious Java archive (JAR) file as a web service. Once deployed, attackers send SOAP requests to the service to execute arbitrary OS commands on the host system, potentially leading to full compromise including data exfiltration, persistence, or lateral movement.

Advisories, including those from VulnCheck and BridgeHead Software, recommend upgrading to FileStore version 24A, which resolves the exposure of the Apache Axis2 admin module. Additional guidance from Apache Axis2 documentation and related JIRA issue AXIS2-4279 highlights securing or disabling the admin console to prevent default credential exploitation. A proof-of-concept exploit is available via a public GitHub Gist, underscoring the need for immediate patching.