Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-39920 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-24 |
| Vendor | BridgeHead |
| Product | FileStore |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials, allowing unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
Required Actions
Update BridgeHead FileStore to version 24A or later immediately. Until the patch is deployed, change the default Apache Axis2 console credentials at once, block external access to Axis2 administrative endpoints, restrict FileStore access to trusted network segments only, and scan the system for indicators of compromise (unauthorized web services, Java archives, suspicious processes).
Who Is Affected?
This vulnerability affects FileStore by BridgeHead at versions earlier than 24A. Check whether your organization uses BridgeHead FileStore (an archiving solution common in healthcare) and update the installation and default credentials immediately.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
