Authenticated users of Endian Firewall can invoke arbitrary operating‑system commands by supplying a crafted DATE value when requesting /cgi-bin/logs_log.cgi. The application builds a filepath from that value and passes it to the Perl open() routine without sufficient validation, exposing the system to command injection. An attacker who is able to send such requests can execute any command on the firewall host, potentially compromising confidentiality, integrity, and availability of the entire appliance.

The flaw affects Endian Firewall distributions 2.1.2, 2.4, 3.3.25, and the Community edition up through version 3.3.25. All authenticated users on these releases are vulnerable, regardless of privileges, and can exploit the injection via the web interface.

With a CVSS score of 8.7 the vulnerability is classified as high severity. The EPSS score is below 1%, indicating a low current likelihood of exploitation, and the flaw is not listed in CISA’s KEV catalog. However, because it requires only legitimate credentials and simple HTTP requests, an internal attacker or any compromised account can use the exposed endpoint to run arbitrary commands. No additional mitigations are mentioned by the vendor in the advisory; therefore systems remain at risk until patched or mitigated.