Cyber Posture

CVE-2026-34794

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 64.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which…

more

allows command injection due to an incomplete regular expression validation.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents command injection by requiring validation of the DATE parameter using complete regular expressions or equivalent techniques before passing to Perl open().

SI-2 Flaw Remediation good match
prevent

SI-2 remediates the specific flaw in /cgi-bin/logs_ids.cgi by identifying, patching, and verifying updates for this command injection vulnerability.

SI-9 Information Input Restrictions partial match
prevent

SI-9 restricts the DATE parameter to safe lengths, types, and sources, blocking malformed inputs that enable command injection.

Security SummaryAI

CVE-2026-34794, published on 2026-04-02, is a command injection vulnerability (CWE-78) in Endian Firewall version 3.3.25 and prior. The issue resides in the /cgi-bin/logs_ids.cgi script, where the DATE parameter is used to build a file path passed directly to a Perl open() call. Incomplete regular expression validation on the parameter enables injection of arbitrary OS commands.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by authenticated users with low privileges over the network, requiring low attack complexity and no user interaction. Attackers can achieve arbitrary OS command execution, resulting in high impacts to confidentiality, integrity, and availability on the affected firewall system.

Mitigation guidance is available in vendor resources, including the Endian community section at https://help.endian.com/hc/en-us/sections/360004371358-Community and the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-ids-cgi-date-perl-command-injection.

Details

CWE(s)
CWE-78

Affected Products

endian
firewall community
≤ 3.3.25

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in web CGI script (/cgi-bin/logs_ids.cgi) enables remote exploitation for arbitrary OS command execution, directly facilitating T1190 (public-facing web app exploit), T1210 (remote service exploitation), and T1059.004 (Unix shell execution on Linux-based firewall).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References