CVE-2026-34791

HighPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which…

allows command injection due to an incomplete regular expression validation.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by requiring validation and sanitization of the DATE parameter before its use in constructing file paths for Perl open() calls.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like the incomplete regex validation in logs_proxy.cgi, eliminating the vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 enables vulnerability scanning to identify command injection issues such as CVE-2026-34791 in the Endian Firewall CGI script.

Security SummaryAI

CVE-2026-34791 is a command injection vulnerability (CWE-78) affecting Endian Firewall versions 3.3.25 and prior. The flaw resides in the /cgi-bin/logs_proxy.cgi script, where the DATE parameter is used to construct a file path passed to a Perl open() call. Due to incomplete regular expression validation, this enables authenticated users to inject and execute arbitrary OS commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility and significant impacts on confidentiality, integrity, and availability.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious DATE parameter value, the attacker bypasses validation and injects OS commands via the Perl open() mechanism, potentially achieving full system compromise including data exfiltration, modification, or disruption on the affected Endian Firewall appliance.

Mitigation details are available in advisories from Endian and VulnCheck. Refer to the Endian Community section at https://help.endian.com/hc/en-us/sections/360004371358-Community and the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-proxy-cgi-date-perl-command-injection for patch information and remediation guidance.

Details

CWE(s): CWE-78

Affected Products

endian

firewall community

≤ 3.3.25

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection (CWE-78) in a public-facing CGI web script on a Linux-based firewall, enabling authenticated low-priv users to execute arbitrary OS (Unix shell) commands remotely, directly mapping to exploitation of public-facing applications and Unix shell command interpreters.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://help.endian.com/hc/en-us/sections/360004371358-Community
Release Notes · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-proxy-cgi-date-perl-command-injection
Third Party Advisory · disclosure@vulncheck.com