Platform
perl
Component
endian-firewall
Fixed in
3.3.26
CVE-2026-34797 describes a Command Injection vulnerability discovered in Endian Firewall versions up to 3.3.25. An authenticated attacker can leverage the DATE parameter within the /cgi-bin/logs_smtp.cgi endpoint to execute arbitrary operating system commands. This vulnerability stems from insufficient validation of the DATE parameter when constructing a file path used in a Perl open() call, allowing for malicious code execution. The vulnerability was publicly disclosed on April 2, 2026, and a fix is available.
Successful exploitation of CVE-2026-34797 allows an authenticated attacker to gain complete control over the underlying Endian Firewall system. This includes the ability to execute arbitrary commands with the privileges of the user running the web server process. An attacker could potentially modify system files, install malware, steal sensitive data (such as firewall configuration, logs, and user credentials), or pivot to other systems on the network. The blast radius extends to any systems accessible from the compromised firewall, making it a critical security concern. The vulnerability's reliance on authentication limits initial access, but once gained, the impact is severe.
CVE-2026-34797 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of exploitation once authenticated means that it remains a significant risk, particularly for organizations with weak authentication practices or vulnerable legacy configurations. The vulnerability's reliance on Perl's regular expression handling echoes similar command injection vulnerabilities seen in other web applications.
Exploit Status
EPSS
0.49% (66% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34797 is to upgrade Endian Firewall to a version that includes the security patch. Refer to the official Endian Firewall advisory for the specific patched version. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the /cgi-bin/logssmtp.cgi endpoint to trusted networks or users. Web Application Firewall (WAF) rules can be configured to filter out malicious input in the DATE parameter, specifically looking for command injection patterns. Regularly review firewall logs for suspicious activity related to the /cgi-bin/logssmtp.cgi endpoint. After upgrading, confirm the fix by attempting to inject a simple command through the DATE parameter and verifying that it is properly sanitized.
Update Endian Firewall to a version later than 3.3.25. This corrects the command injection vulnerability in the DATE parameter of the /cgi-bin/logs_smtp.cgi script.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34797 is a Command Injection vulnerability affecting Endian Firewall versions up to 3.3.25. It allows authenticated users to execute OS commands via a parameter, potentially leading to system compromise.
You are affected if you are running Endian Firewall version 3.3.25 or earlier. Check your version and upgrade immediately if vulnerable.
Upgrade to a patched version of Endian Firewall. Consult the official Endian Firewall advisory for the specific patched version number.
While no widespread exploitation has been confirmed, the ease of exploitation makes it a potential risk. Monitor your systems and apply the patch promptly.
Refer to the official Endian Firewall security advisories on their website for detailed information and patch availability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.