The vulnerability allows an authenticated attacker to inject arbitrary JavaScript into the remark field processed by /cgi-bin/routing.cgi. Because the input is stored and subsequently rendered to other users, the injected script executes in the context of those users’ browsers, enabling session hijacking, credential theft, and manipulation of the interface or other malicious actions. The flaw is a classic stored XSS as identified by CWE-79 and is limited to the web interface of affected Endian Firewall installations.

Endian Firewall products are affected, including all versions 2.1.2, 2.4, 3.3.25 and earlier, as well as the community edition. The issue resides in the /cgi‑bin/routing.cgi script that processes the remark parameter.

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% signals a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. An attacker must be authenticated to the firewall’s web interface to supply the malicious remark, so the attack vector is internal or within the privileged user set. While outright denial of service is not present, the XSS can lead to significant compromise of user sessions and confidentiality when the affected page is rendered.