CVE-2026-34790 is a path traversal vulnerability classified under CWE-22 affecting Endian Firewall version 3.3.25 and prior. The vulnerability exists in the /cgi-bin/backup.cgi CGI script, specifically in the handling of the remove ARCHIVE parameter. This parameter is used to construct a file path that is subsequently passed to the unlink() system call to delete files. However, the input is not sanitized to remove directory traversal sequences such as '../', allowing an authenticated user to specify arbitrary file paths outside the intended directory. This flaw enables deletion of arbitrary files on the firewall system, which can lead to denial of service or compromise of system integrity. The vulnerability requires authentication but no further privileges or user interaction. The CVSS 4.0 base score is 7.1 (high), reflecting the network attack vector, low attack complexity, no user interaction, and high impact on integrity. There are no known exploits in the wild yet, and no patches have been linked at the time of publication. The flaw highlights insufficient input validation and unsafe file operation practices in the affected CGI script.

The primary impact of this vulnerability is the unauthorized deletion of arbitrary files on the Endian Firewall system by an authenticated attacker. This can disrupt firewall operations, cause denial of service, and potentially remove critical configuration or system files, leading to system instability or failure. The integrity of the firewall system is severely compromised, which may allow attackers to degrade network security or cause outages. Since the firewall is a critical security perimeter device, its compromise can have cascading effects on the protected network, increasing exposure to further attacks. Organizations relying on Endian Firewall 3.3.25 or earlier versions are at risk of operational disruption and potential data loss. The requirement for authentication limits exposure but does not eliminate risk, especially in environments where user credentials may be compromised or where multiple users have access to the firewall management interface.

To mitigate this vulnerability, organizations should immediately upgrade Endian Firewall to a version where this issue is fixed once available. In the absence of a patch, restrict access to the /cgi-bin/backup.cgi endpoint to trusted administrators only, ideally through network segmentation or firewall rules. Implement strict input validation or filtering on the remove ARCHIVE parameter to reject directory traversal sequences such as '../'. Monitor firewall logs for suspicious requests targeting backup.cgi with unusual parameter values. Employ multi-factor authentication to reduce the risk of credential compromise. Regularly back up firewall configurations and system files to enable recovery in case of file deletion. Consider deploying a web application firewall (WAF) with rules to detect and block directory traversal attempts. Finally, conduct security awareness training for administrators to recognize and report suspicious activity.