CVE-2026-34794 is an OS command injection vulnerability identified in Endian Firewall version 3.3.25 and prior. The flaw exists in the handling of the DATE parameter passed to the /cgi-bin/logs_ids.cgi CGI script. This parameter is used to build a file path that is subsequently opened via a Perl open() call. The input validation relies on an incomplete regular expression, which fails to properly neutralize special characters or command delimiters. As a result, an authenticated attacker can inject arbitrary OS commands by crafting malicious input in the DATE parameter. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no user interaction, and the requirement of only low privileges (authentication). The impact includes potential full system compromise, as arbitrary commands can be executed with the privileges of the web server process. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (April 2, 2026).

The exploitation of this vulnerability can have severe consequences for organizations deploying Endian Firewall 3.3.25 or earlier. Successful command injection can lead to unauthorized execution of arbitrary commands on the firewall device, potentially allowing attackers to escalate privileges, manipulate firewall rules, exfiltrate sensitive data, or pivot into internal networks. This undermines the firewall's primary role as a security boundary, increasing the risk of broader network compromise. Given that the firewall often protects critical infrastructure and sensitive environments, the impact extends to confidentiality, integrity, and availability of organizational assets. The requirement for authentication limits exposure somewhat, but insider threats or compromised credentials could enable exploitation. The absence of known exploits in the wild suggests limited current active exploitation, but the vulnerability's characteristics make it a prime target for attackers once exploit code becomes available.

Organizations should immediately verify if they are running Endian Firewall version 3.3.25 or earlier and prioritize upgrading to a patched version once available. In the absence of an official patch, administrators should consider the following mitigations: 1) Restrict access to the /cgi-bin/logs_ids.cgi endpoint to trusted administrators only, using network segmentation or firewall rules to limit exposure. 2) Implement strong authentication mechanisms and monitor for suspicious login activity to reduce the risk of credential compromise. 3) Employ Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking command injection patterns targeting the DATE parameter. 4) Conduct regular audits of firewall logs and system processes for anomalous behavior indicative of exploitation attempts. 5) If feasible, disable or restrict the vulnerable CGI script functionality until a patch is applied. 6) Educate administrators on the risks of command injection and the importance of input validation in custom scripts or configurations. These targeted actions can reduce the attack surface and mitigate exploitation risk while awaiting vendor remediation.