Vulnerabilities ›

CVE-2026-34795

High

CWE-78 — Weakness Type

                    Published: Apr 2, 2026                      ·  Modified: Apr 9, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

🤖 AI Executive Summary

Endian Firewall versions 3.3.25 and prior contain a critical command injection vulnerability in the logs_log.cgi module that allows authenticated users to execute arbitrary OS commands via the DATE parameter. The vulnerability exploits incomplete regex validation in Perl's open() function, enabling attackers with valid credentials to gain full system compromise. This poses significant risk to Saudi organizations using Endian Firewall as perimeter security, particularly in banking and government sectors where firewall integrity is critical.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 07:33

🇸🇦 Saudi Arabia Impact Assessment

High impact on Saudi banking sector (SAMA-regulated institutions) relying on Endian Firewall for perimeter defense and log management. Government agencies (NCA, NCSC oversight) using Endian solutions face critical risk of unauthorized system access and audit log tampering. Telecom operators (STC, Mobily) managing network security through Endian appliances could experience service disruption and data exfiltration. Healthcare organizations (MOH) using Endian for network segmentation face patient data exposure risks. Energy sector (ARAMCO, utilities) dependent on Endian for OT/IT boundary protection face operational technology compromise. The authenticated requirement slightly reduces exposure but is critical given insider threat prevalence in Saudi organizations.

🏢 Affected Saudi Sectors

Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA, NCSC) Telecommunications (STC, Mobily, Zain) Healthcare (MOH, private hospitals) Energy and Utilities (ARAMCO, power generation) Critical Infrastructure Protection Defense and Security Education (universities with network security)

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (web interface exploitation) T1059 - Command and Scripting Interpreter (OS command execution via Perl) T1078 - Valid Accounts (leverages authenticated access) T1562 - Impair Defenses (firewall log tampering) T1070 - Indicator Removal (log manipulation via command injection) T1021 - Remote Service Session Initiation (firewall management access) T1548 - Abuse Elevation Control Mechanism (privilege escalation from web context) T1083 - File and Directory Discovery (file path manipulation)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Endian Firewall instances in your environment running version 3.3.25 or earlier

2. Restrict administrative access to /cgi-bin/logs_log.cgi to trusted IP ranges only

3. Implement network-level access controls limiting who can reach the web management interface

4. Review authentication logs for suspicious DATE parameter usage patterns

5. Monitor for command injection indicators in firewall logs (backticks, $(), pipe characters in DATE fields)

PATCHING GUIDANCE:

- Contact Endian support immediately for patch availability timeline

- If no patch available within 30 days, plan firewall replacement or upgrade

- Test patches in isolated lab environment before production deployment

COMPENSATING CONTROLS (if patch unavailable):

1. Implement Web Application Firewall (WAF) rules blocking special characters in DATE parameter: [;|`$()&<>]

2. Deploy IDS/IPS signatures detecting command injection attempts to logs_log.cgi

3. Enforce multi-factor authentication for firewall administrative access

4. Implement strict input validation at network perimeter for management traffic

5. Enable comprehensive audit logging of all CGI parameter values

6. Isolate Endian management interface on separate administrative network

7. Implement file integrity monitoring on Endian system binaries and configuration

DETECTION RULES:

- Alert on HTTP requests to /cgi-bin/logs_log.cgi containing DATE parameter with: semicolons, backticks, $(), pipe operators, command substitution syntax

- Monitor Endian process execution logs for unexpected child processes spawned from Perl interpreter

- Track failed authentication attempts followed by successful access to logs_log.cgi

- Alert on modifications to firewall log files outside normal rotation windows

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع مثيلات Endian Firewall في بيئتك التي تعمل بالإصدار 3.3.25 أو أقدم

2. تقييد الوصول الإداري إلى /cgi-bin/logs_log.cgi على نطاقات IP موثوقة فقط

3. تنفيذ عناصر التحكم في الوصول على مستوى الشبكة لتحديد من يمكنه الوصول إلى واجهة إدارة الويب

4. مراجعة سجلات المصادقة للأنماط المريبة في استخدام معامل DATE

5. مراقبة مؤشرات حقن الأوامر في سجلات جدار الحماية (علامات الاقتباس العكسية، $()، أحرف الأنابيب في حقول DATE)



إرشادات التصحيح:

- اتصل بدعم Endian على الفور للحصول على جدول زمني لتوفر التصحيح

- إذا لم يكن هناك تصحيح متاح خلال 30 يوماً، خطط لاستبدال جدار الحماية أو الترقية

- اختبر التصحيحات في بيئة معملية معزولة قبل نشر الإنتاج



عناصر التحكم التعويضية (إذا لم يكن التصحيح متاحاً):

1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر الأحرف الخاصة في معامل DATE: [;|`$()&<>]

2. نشر توقيعات IDS/IPS للكشف عن محاولات حقن الأوامر إلى logs_log.cgi

3. فرض المصادقة متعددة العوامل لوصول إدارة جدار الحماية

4. تنفيذ التحقق الصارم من المدخلات على محيط الشبكة لحركة الإدارة

5. تفعيل تسجيل التدقيق الشامل لجميع قيم معاملات CGI

6. عزل واجهة إدارة Endian على شبكة إدارية منفصلة

7. تنفيذ مراقبة سلامة الملفات على ملفات ثنائية Endian والتكوين



قواعد الكشف:

- تنبيه على طلبات HTTP إلى /cgi-bin/logs_log.cgi تحتوي على معامل DATE يحتوي على: فواصل منقوطة، علامات اقتباس عكسية، $()، عوامل الأنابيب، بناء جملة استبدال الأوامر

- مراقبة سجلات تنفيذ عملية Endian للعمليات الفرعية غير المتوقعة التي يتم إطلاقها من مترجم Perl

- تتبع محاولات المصادقة الفاشلة متبوعة بالوصول الناجح إلى logs_log.cgi

- تنبيه على التعديلات على ملفات سجل جدار الحماية خارج نوافذ الدوران العادية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (authenticated access exploitation) ECC 2024 A.5.2.1 - User Registration and Access Rights Management ECC 2024 A.5.3.1 - Management of Privileged Access Rights ECC 2024 A.6.2.1 - Restriction of Access to Information (firewall bypass) ECC 2024 A.12.2.1 - Installation of Software on Operational Systems (command execution) ECC 2024 A.12.4.1 - Logging (audit log tampering via command injection) ECC 2024 A.14.2.1 - Secure Development Policy (input validation failure)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset Management (firewall inventory and versioning) SAMA CSF PR.AC-1 - Access Control (authentication bypass risks) SAMA CSF PR.AC-3 - Access Enforcement (privileged access management) SAMA CSF PR.AC-4 - Access Rights (role-based access to management interfaces) SAMA CSF PR.DS-2 - Data Security (log integrity and confidentiality) SAMA CSF DE.CM-1 - Detection and Analysis (security monitoring) SAMA CSF RS.MI-2 - Incident Response (containment of compromised firewall)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies and Procedures ISO 27001:2022 A.6.1 - Organizational Controls (access management) ISO 27001:2022 A.8.1 - Asset Management (firewall asset control) ISO 27001:2022 A.8.3 - Media Handling (log file integrity) ISO 27001:2022 A.9.1 - Access Control Policy ISO 27001:2022 A.9.2 - User Access Management (privileged access) ISO 27001:2022 A.9.4 - Access Rights Review ISO 27001:2022 A.12.4 - Logging (audit trail protection) ISO 27001:2022 A.14.2 - Secure Development (input validation)

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall Configuration Standards (firewall integrity) PCI DSS 2.1 - Default Passwords and Security Parameters PCI DSS 2.2 - Configuration Standards for System Components PCI DSS 2.4 - Document and Communicate Security Configuration PCI DSS 6.2 - Security Patches (vulnerability management) PCI DSS 7.1 - Limit Access to System Components PCI DSS 8.1 - User Identification and Authentication PCI DSS 10.2 - Automated Audit Trails (log tampering prevention)

🔗 References & Sources 2

🔗

https://help.endian.com/hc/en-us/sections/360004371358-Community

disclosure@vulncheck.com

Release Notes

🔗

https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-log-cgi-date-perl-com...

disclosure@vulncheck.com

Third Party Advisory

📦 Affected Products / CPE 1 entries

endian:firewall_community

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-78

EPSS0.25%

Exploit No

Patch ✗ No

Published 2026-04-02

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-78

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-34795

💬 Comments

Introduce Yourself

Sign In Required