Authenticated users of Endian Firewall can send a crafted DATE parameter to the /cgi-bin/logs_openvpn.cgi script, causing the script to construct an unvalidated file path that is passed to a Perl open() call, thereby allowing arbitrary OS commands to be executed as the web server user. The resulting command injection can lead to full compromise of the firewall machine, including loss of confidentiality, integrity, and availability of network services managed by the device.

The vulnerability affects Endian Firewall editions 3.3.25 and all earlier releases, including the community build. Users running version 3.3.25, 2.4, or older 2.1.2 are susceptible. The issue has been identified in the standard enterprise and community installations, meaning all organizations relying on these builds are at risk until a newer release is applied.

The CVSS base score of 8.7 denotes high severity, and while the EPSS score indicates that exploitation probability is currently low (<1%), the vulnerability requires only authenticated access to the firewall and can be triggered via the web interface, making it exploitable within an internal network or by users with credentials. The vulnerability is not listed in the CISA KEV catalog, which suggests that no widely distributed exploitation has been observed yet, but the impact remains high for impacted systems.