Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
AnalysisAI
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_smtp.cgi. The vulnerability stems from incomplete regular expression validation enabling Perl open() injection. With CVSS 8.7 severity and a low attack complexity (AC:L), this represents a critical post-authentication compromise vector. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for exploit development by threat actors with valid credentials.
Technical ContextAI
This vulnerability exploits a classic Perl open() injection pattern where user-supplied input is insufficiently validated before being passed to file operations. The DATE parameter value is incorporated into a file path string that becomes an argument to Perl's two-argument open() function. In Perl, open() with certain special characters (particularly pipe '|') can execute shell commands instead of opening files. The incomplete regular expression validation fails to properly sanitize shell metacharacters, allowing an authenticated attacker to break out of the intended file path context and inject arbitrary commands. This is a manifestation of CWE-78 (Improper Neutralization of Special Elements used in an OS Command), specifically through the dangerous practice of using user input in Perl open() calls without proper input validation. Endian Firewall is a Linux-based UTM appliance, meaning successful exploitation grants OS-level command execution on the firewall itself, compromising the network security boundary.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations should immediately check the Endian Community support section at https://help.endian.com/hc/en-us/sections/360004371358-Community for updated security advisories and version releases addressing CVE-2026-34797. Until an official patch is available, implement the following risk mitigations: restrict access to the Endian Firewall administrative interface to trusted management networks only, disable external access to CGI endpoints if operationally feasible, implement network-based access controls limiting who can authenticate to the firewall management interface, enforce strong authentication policies including multi-factor authentication if supported, and monitor logs for suspicious POST requests to /cgi-bin/logs_smtp.cgi containing shell metacharacters in the DATE parameter. Consider upgrading to Endian EFW Enterprise if available patches address this issue in commercial versions. Given the authenticated nature of the vulnerability, priority should be placed on credential protection and management network segmentation as interim controls.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18276
GHSA-c2cq-vr56-2568