How severe is CVE-2026-39920?

CVE-2026-39920 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-39920?

CVE-2026-39920 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-39920?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

BridgeHead FileStore unauth RCE (CVE-2026-39920)

Patch now - CVE-2026-39920 is a critical unauthenticated remote code execution vulnerability in BridgeHead FileStore versions prior to 24A that lets attackers gain full control of the host via default credentials on the Apache Axis2 admin console.

Overview

CVE-2026-39920 affects BridgeHead FileStore versions released before the 24A update (early 2024). The software exposes the Apache Axis2 administration module on network-accessible endpoints configured with default credentials. An unauthenticated attacker can authenticate to the web administration console using these known defaults, upload a malicious Java Archive (JAR) file as a web service, and then execute arbitrary operating system commands on the host via SOAP requests to the deployed service.

The vulnerability has received a CVSS score of 9.8 (CRITICAL) with a network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Impact

A successful exploit grants attackers full, unauthenticated remote code execution on the BridgeHead FileStore appliance or server. This means attackers can:

Execute any command on the underlying operating system
Install persistent backdoors or ransomware
Exfiltrate or encrypt stored healthcare or enterprise data
Use the compromised system as a pivot point into the internal network

Affected Versions

All BridgeHead FileStore deployments running versions prior to 24A are vulnerable. The 24A release, shipped in early 2024, remediates this issue by removing or securing the Apache Axis2 administration interface.

Remediation and Mitigation

Recommended action: Upgrade to BridgeHead FileStore version 24A or later immediately. There is no workaround that fully mitigates this vulnerability without upgrading.

Immediate mitigations if patching is delayed:

Restrict network access to the FileStore management interface to trusted IP ranges only using firewall rules.
Disable or remove the Apache Axis2 admin console if it is not required for operations.
Audit Axis2 deployment directories for unauthorized JAR files or web services.
Review system logs for unusual SOAP API calls or unknown Axis2 service deployments.

Security Insight

CVE-2026-39920 demonstrates a recurring pattern in healthcare IT infrastructure: legacy middleware components (Apache Axis2, Tomcat, JBoss) shipped with default credentials that were never hardened during deployment. BridgeHead FileStore caters to regulated industries like healthcare where post-patch auditing is equally critical. This vulnerability underscores why vendors must remove all administrative default credentials in production builds and why asset owners should inventory every embedded web service interface exposed on backup infrastructure.

BridgeHead FileStore unauth RCE (CVE-2026-39920)

Overview

Impact

Affected Versions

Remediation and Mitigation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Overview

Impact

Affected Versions

Remediation and Mitigation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Never Miss a Critical Alert