Skip to main content

Firewall Community CVE-2026-34794

| EUVDEUVD-2026-18270 HIGH
OS Command Injection (CWE-78)
2026-04-02 disclosure@vulncheck.com GHSA-m82g-g4wp-pm4m
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18270
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
HIGH 8.7

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

AnalysisAI

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS commands with firewall appliance privileges via command injection in the DATE parameter of /cgi-bin/logs_ids.cgi. The vulnerability stems from incomplete regular expression validation before passing user input to Perl's open() function. CVSS score of 8.7 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No CISA KEV listing or public exploit code identified at time of analysis, though VulnCheck public disclosure increases weaponization risk for organizations using this legacy firewall appliance.

Technical ContextAI

This vulnerability exploits a classic command injection weakness (CWE-78) in Perl CGI scripts through dangerous use of the open() function. The /cgi-bin/logs_ids.cgi endpoint accepts a DATE parameter intended for log file path construction, but employs insufficient input validation via regular expressions. Perl's open() function is notoriously dangerous when handling untrusted input because it interprets pipe characters and shell metacharacters, allowing attackers to append commands (e.g., DATE='valid_path|malicious_command|'). Endian Firewall is a Linux-based UTM appliance built on IPCop, commonly deployed as network perimeter security infrastructure. The affected CGI scripts run with elevated firewall appliance privileges, making successful exploitation particularly severe as it grants attackers control over the security boundary itself. This represents a fundamental secure coding failure where sanitization logic failed to account for all shell metacharacter sequences that Perl's open() interprets as command execution directives.

RemediationAI

Organizations running affected Endian Firewall versions should immediately assess migration options, as Endian Firewall Community Edition has reached end-of-life status and no vendor-released patch for CVE-2026-34794 has been identified at time of analysis. Primary remediation is to migrate to currently supported firewall platforms from active vendors. As interim risk reduction measures: restrict administrative interface access to trusted management networks only (never expose to internet); implement strict IP allowlisting for firewall administration; audit and minimize user accounts with any level of firewall access; monitor authentication logs and system command execution for suspicious activity patterns. Review firewall access control policies to ensure principle of least privilege, as the vulnerability requires authenticated access (PR:L). For mission-critical deployments unable to migrate immediately, consider deploying a reverse proxy with strict input validation in front of the administrative interface, though this workaround complexity may exceed migration effort. Consult VulnCheck advisory at vulncheck.com/advisories/endian-firewall-cgi-bin-logs-ids-cgi-date-perl-command-injection for additional technical indicators and vendor migration guidance at help.endian.com community resources.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34796 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi

CVE-2026-34795 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to

CVE-2026-34793 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34790 HIGH
7.1 Apr 02

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

CVE-2026-34818 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious

Share

CVE-2026-34794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy