Cyber Posture

CVE-2026-34792

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 64.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which…

more

allows command injection due to an incomplete regular expression validation.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation of the untrusted DATE parameter prior to its use in constructing the file path for the Perl open() call.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in the incomplete regular expression validation within the logs_clamav.cgi script to eliminate the command injection vulnerability.

SI-9 Information Input Restrictions good match
prevent

Restricts the DATE parameter to only valid date formats via whitelisting or blacklisting, blocking malformed inputs that enable command injection.

Security SummaryAI

CVE-2026-34792 is a command injection vulnerability (CWE-78) in Endian Firewall versions 3.3.25 and prior. The issue resides in the /cgi-bin/logs_clamav.cgi script, where the DATE parameter is used to construct a file path passed directly to a Perl open() call. Due to an incomplete regular expression validation, this allows authenticated users to inject and execute arbitrary OS commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility and significant impacts.

An attacker with low-privilege authenticated access can exploit this remotely with low complexity and no user interaction required. By crafting a malicious DATE parameter value, they bypass validation and inject commands via the Perl open() mechanism, achieving arbitrary OS command execution on the firewall appliance. This grants high confidentiality, integrity, and availability impacts, potentially enabling full system compromise.

Advisories from Endian (https://help.endian.com/hc/en-us/sections/360004371358-Community) and VulnCheck (https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-clamav-cgi-date-perl-command-injection) provide additional details on the issue, published on 2026-04-02.

Details

CWE(s)
CWE-78

Affected Products

endian
firewall community
≤ 3.3.25

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in a remote CGI script enables low-priv authenticated attackers to achieve arbitrary OS command execution on a Linux-based firewall, directly facilitating exploitation of remote services (T1210), privilege escalation via exploitation (T1068), and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References