Description
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
Published: 2026-04-02
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Authenticated users can inject arbitrary operating system commands via the DATE parameter in /cgi-bin/logs_ids.cgi. The application concatenates the parameter into a file path that is passed to a Perl open() call. A poorly constructed regular expression fails to filter malicious input, allowing the attacker to execute commands with the privileges of the web service. This results in full control of the affected firewall instance, compromising network security and device integrity.

Affected Systems

Boards running Endian Firewall version 3.3.25 and older, including the 2.1.2, 2.4, and 3.3.25 releases, are impacted by the vulnerability in the logs_ids.cgi script. Any administrator or authenticated user of these releases can exploit the flaw.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.7, indicating high severity. No EPSS score is published, and the flaw is not catalogued in CISA’s KEV list, yet the prerequisite of an authenticated session is common in managed firewall environments, making exploitation realistic. Attackers can craft a DATE value that injects shell commands, causing the web service to execute them with full host privileges.

Generated by OpenCVE AI on April 2, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Endian Firewall to the latest release (3.3.26 or newer).
  • Restrict or disable the /cgi-bin/logs_ids.cgi endpoint for non‑admin users.
  • Monitor HTTP requests for unexpected use of the DATE parameter and investigate anomalies.

Generated by OpenCVE AI on April 2, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
Title Endian Firewall /cgi-bin/logs_ids.cgi DATE Perl Command Injection
First Time appeared Endian
Endian firewall
Weaknesses CWE-78
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T18:41:43.303Z

Reserved: 2026-03-30T20:26:18.724Z

Link: CVE-2026-34794

cve-icon Vulnrichment

Updated: 2026-04-02T18:41:33.755Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:44.547

Modified: 2026-04-02T15:16:44.547

Link: CVE-2026-34794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:49Z

Weaknesses