CVE-2026-34794

HighPublic PoCRCE

Published: 02 April 2026

Published

02 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34794 is a high-severity OS Command Injection (CWE-78) vulnerability in Endian Firewall Community. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by requiring validation of the DATE parameter using complete regular expressions or equivalent techniques before passing to Perl open().

SI-2 Flaw Remediation good match

prevent

SI-2 remediates the specific flaw in /cgi-bin/logs_ids.cgi by identifying, patching, and verifying updates for this command injection vulnerability.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts the DATE parameter to safe lengths, types, and sources, blocking malformed inputs that enable command injection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in web CGI script (/cgi-bin/logs_ids.cgi) enables remote exploitation for arbitrary OS command execution, directly facilitating T1190 (public-facing web app exploit), T1210 (remote service exploitation), and T1059.004 (Unix shell execution on Linux-based firewall).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which…

allows command injection due to an incomplete regular expression validation.

Deeper analysisAI

CVE-2026-34794, published on 2026-04-02, is a command injection vulnerability (CWE-78) in Endian Firewall version 3.3.25 and prior. The issue resides in the /cgi-bin/logs_ids.cgi script, where the DATE parameter is used to build a file path passed directly to a Perl open() call. Incomplete regular expression validation on the parameter enables injection of arbitrary OS commands.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by authenticated users with low privileges over the network, requiring low attack complexity and no user interaction. Attackers can achieve arbitrary OS command execution, resulting in high impacts to confidentiality, integrity, and availability on the affected firewall system.

Mitigation guidance is available in vendor resources, including the Endian community section at https://help.endian.com/hc/en-us/sections/360004371358-Community and the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-ids-cgi-date-perl-command-injection.