Endian Firewall services include a CGI script /cgi-bin/logs_log.cgi that processes a DATE parameter. In versions 3.3.25 and earlier the script builds a file path from the supplied value and passes it directly to a Perl open() call. The regular expression used to validate the parameter does not fully escape shell metacharacters, permitting an attacker to inject arbitrary shell commands. An affected user who authenticates to the firewall can therefore execute any OS command on the underlying host. This type of injection maps to CWE-78 and results in complete loss of confidentiality, integrity and availability of the affected system.

Any installation of Endian Firewall from version 2.1.2 through 3.3.25 is affected. The vulnerability is present in the endorsed CPE entries for these releases, and all earlier releases that match the same product line are also vulnerable because the same CGI script and validation logic are unchanged. Administrators should therefore verify their current firmware version and compare it to the listed releases.

The CVSS v3 base score of 8.7 indicates a high impact with a medium privileged threat complexity, reflecting the requirement for local or web‑based authenticated access. Although the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the exploitability remains high because the script is part of the web interface and a valid credential grants access. Once authenticated, the attacker can trigger arbitrary OS command execution, making the risk level significant for any organization running these firmware versions.