Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
AnalysisAI
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_firewall.cgi. The vulnerability stems from inadequate regular expression validation that fails to prevent command injection in Perl open() calls. Authentication is required (PR:L), but once accessed, attackers gain high-impact control over confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for weaponization. EPSS data not available for this recent CVE.
Technical ContextAI
This vulnerability affects Endian Firewall Community Edition version 3.3.25 and all prior versions, a Linux-based unified threat management (UTM) appliance. The flaw is classified as CWE-78 (OS Command Injection) and resides in the logs_firewall.cgi CGI script written in Perl. The vulnerable code accepts user-supplied input via the DATE parameter and uses it to construct file paths passed directly to Perl's open() function. Perl's open() is notoriously dangerous when handling untrusted input because it interprets pipe characters and other shell metacharacters, enabling command execution. The developers attempted input validation using a regular expression, but the pattern was incomplete or bypassable, failing to sanitize malicious payloads. This represents a classic server-side injection vulnerability where backend code insufficiently validates data before using it in system-level operations. The network-accessible attack vector (AV:N) combined with low attack complexity (AC:L) makes this straightforward to exploit once an attacker obtains valid credentials.
RemediationAI
Organizations running Endian Firewall Community Edition 3.3.25 or earlier should immediately check for available security updates through the Endian help center at https://help.endian.com/hc/en-us/sections/360004371358-Community and apply any patched versions addressing CVE-2026-34793. Upstream fix availability from the vendor has not been independently confirmed from available data at time of analysis. As interim mitigation measures while awaiting patches, administrators should implement strict access controls limiting who can authenticate to the firewall management interface, enforce strong password policies, and monitor access logs for suspicious DATE parameter values in requests to logs_firewall.cgi. Network segmentation should isolate the Endian management interface from untrusted networks, restricting access only to dedicated administrative VLANs or VPN connections. Consider disabling the vulnerable CGI script if firewall log viewing through the web interface is not operationally critical, though this may impact management workflows. Detailed technical analysis is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-firewall-cgi-date-perl-command-injection for security teams evaluating compensating controls.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18268