Description
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
Published: 2026-04-02
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from the DATE parameter sent to /cgi-bin/logs_openvpn.cgi. Endian Firewall versions 3.3.25 and earlier interpolate this parameter into a file path that is then passed to a Perl open() function. Because input validation relies on an incomplete regular expression, an attacker can inject arbitrary shell commands to be executed by the server, providing a remote code execution path. This weakness corresponds to CWE‑78, indicating OS command injection.

Affected Systems

Endian Firewall is the affected product. Versions 2.1.2, 2.4, and 3.3.25, and all earlier releases are vulnerable. Administrative or authenticated users who can access the affected CGI script are required for exploitation.

Risk and Exploitability

The CVSS v3.1 score of 8.7 classifies this flaw as high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of publicly known exploits does not diminish the inherent risk. As the flaw requires authenticated access, successful exploitation is limited to internal or compromised accounts, yet the command execution payload can compromise the entire firewall appliance.

Generated by OpenCVE AI on April 2, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Endian Firewall patch or upgrade to a version later than 3.3.25,
  • Restrict or disable authenticated access to /cgi-bin/logs_openvpn.cgi until a patch is applied
  • If upgrade is not immediately possible, configure the web server to reject requests containing special characters (e.g., ';', '&', '|', '$') in the DATE parameter
  • Consider disabling the OpenVPN logs feature if it is not required for your deployment
  • Monitor server logs for unexpected command executions or anomalies in the /var/log/ directory

Generated by OpenCVE AI on April 2, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
Title Endian Firewall /cgi-bin/logs_openvpn.cgi DATE Perl Command Injection
First Time appeared Endian
Endian firewall
Weaknesses CWE-78
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T14:45:51.850Z

Reserved: 2026-03-30T20:26:18.724Z

Link: CVE-2026-34796

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:45.050

Modified: 2026-04-02T15:16:45.050

Link: CVE-2026-34796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:47Z

Weaknesses