Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.
AnalysisAI
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through the /cgi-bin/backup.cgi remove ARCHIVE parameter. Attackers with low-privileged network access can leverage unsanitized path construction passed to unlink() to achieve high-integrity impact by removing critical system files. EPSS data not available; no public exploit identified at time of analysis, though the technical details disclosed by VulnCheck increase weaponization risk for authenticated threat actors.
Technical ContextAI
Endian Firewall's backup.cgi CGI script accepts a remove ARCHIVE parameter intended for deleting backup files. The vulnerability stems from CWE-22 (Path Traversal) where user-supplied input containing directory traversal sequences (../) is not validated or sanitized before being concatenated into a file path string. This unsanitized path is then passed directly to the unlink() system call, which removes files from the filesystem. An attacker can inject traversal sequences like ../../etc/shadow or ../../../../opt/endian/critical-config to escape the intended backup directory and delete arbitrary files accessible to the web server process. The CVSS:4.0 vector indicates network-based attack (AV:N), low complexity (AC:L), requiring low privileges (PR:L) but no user interaction (UI:N), resulting in high integrity impact (VI:H) and low availability impact (VA:L) to the vulnerable system.
RemediationAI
Upgrade to Endian Firewall Community Edition version 3.3.26 or later if available, consulting the official Endian Help Center at https://help.endian.com/hc/en-us/sections/360004371358-Community for release announcements and upgrade procedures. If immediate patching is not feasible, implement compensating controls including strict authentication and authorization enforcement for the /cgi-bin/backup.cgi interface, restricting access to highly trusted administrative accounts only. Deploy web application firewall (WAF) rules or input validation filters to detect and block directory traversal sequences (../, ..\, URL-encoded variants) in the remove ARCHIVE parameter. Review firewall access logs for suspicious backup.cgi requests containing traversal patterns and investigate any anomalous file deletion activity. Implement file integrity monitoring on critical system files to detect unauthorized deletion attempts. Consider network segmentation to limit access to the management interface from trusted administrative networks only. Full technical disclosure is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-backup-cgi-remove-archive-directory-traversal for security teams developing detection signatures.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18262