CVE-2026-34790

CVE-2026-34790 is a directory traversal vulnerability (CWE-22) affecting Endian Firewall versions 3.3.25 and prior. The flaw exists in the `/cgi-bin/backup.cgi` script, where the `remove ARCHIVE` parameter is used to construct a file path without sanitizing directory traversal sequences (`../`). This unsanitized path is passed directly to an `unlink()` call, enabling authenticated users to delete arbitrary files on the system. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high integrity impact with low availability impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. By crafting a request to `/cgi-bin/backup.cgi` with a malicious `remove ARCHIVE` parameter containing directory traversal payloads, the attacker can target and delete sensitive files, potentially disrupting firewall operations, configurations, or logs. Successful exploitation leads to unauthorized file deletion, compromising system integrity and partial availability without affecting confidentiality.

Advisories from Endian and Vulncheck detail the issue and recommend mitigation. Endian's community support section (https://help.endian.com/hc/en-us/sections/360004371358-Community) provides relevant guidance, while Vulncheck's advisory (https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-backup-cgi-remove-archive-directory-traversal) offers technical analysis on the traversal vulnerability in the backup CGI endpoint. Security practitioners should consult these for patch availability and workarounds in affected Endian Firewall deployments.