CVE-2026-34792
Published: 02 April 2026
Summary
CVE-2026-34792 is a high-severity OS Command Injection (CWE-78) vulnerability in Endian Firewall Community. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of the untrusted DATE parameter prior to its use in constructing the file path for the Perl open() call.
Remediates the specific flaw in the incomplete regular expression validation within the logs_clamav.cgi script to eliminate the command injection vulnerability.
Restricts the DATE parameter to only valid date formats via whitelisting or blacklisting, blocking malformed inputs that enable command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in a remote CGI script enables low-priv authenticated attackers to achieve arbitrary OS command execution on a Linux-based firewall, directly facilitating exploitation of remote services (T1210), privilege escalation via exploitation (T1068), and Unix shell command execution (T1059.004).
NVD Description
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which…
more
allows command injection due to an incomplete regular expression validation.
Deeper analysisAI
CVE-2026-34792 is a command injection vulnerability (CWE-78) in Endian Firewall versions 3.3.25 and prior. The issue resides in the /cgi-bin/logs_clamav.cgi script, where the DATE parameter is used to construct a file path passed directly to a Perl open() call. Due to an incomplete regular expression validation, this allows authenticated users to inject and execute arbitrary OS commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility and significant impacts.
An attacker with low-privilege authenticated access can exploit this remotely with low complexity and no user interaction required. By crafting a malicious DATE parameter value, they bypass validation and inject commands via the Perl open() mechanism, achieving arbitrary OS command execution on the firewall appliance. This grants high confidentiality, integrity, and availability impacts, potentially enabling full system compromise.
Advisories from Endian (https://help.endian.com/hc/en-us/sections/360004371358-Community) and VulnCheck (https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-clamav-cgi-date-perl-command-injection) provide additional details on the issue, published on 2026-04-02.
Details
- CWE(s)