Compliance Impact

This vulnerability allows authenticated users to delete arbitrary files on the system due to improper sanitization of directory traversal sequences. Such unauthorized file deletion can lead to loss of data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA.

Specifically, the high impact on confidentiality and potential data loss could result in non-compliance with regulations that require protection of sensitive data and maintaining system integrity.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the /cgi-bin/backup.cgi script to trusted authenticated users only, as the vulnerability requires authentication.

Additionally, applying input validation or sanitization to the remove ARCHIVE parameter to prevent directory traversal sequences is critical.

If a patch or updated version of Endian Firewall is available beyond version 3.3.25, upgrading to that version is recommended.

As a temporary measure, monitoring and blocking suspicious requests containing directory traversal patterns targeting /cgi-bin/backup.cgi can reduce exploitation risk.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34790 is a high-severity vulnerability in Endian Firewall versions 3.3.25 and earlier. It is a directory traversal flaw in the remove ARCHIVE parameter of the /cgi-bin/backup.cgi script.

Authenticated users can exploit this vulnerability to delete arbitrary files on the system because the remove ARCHIVE parameter is used to build a file path without properly sanitizing directory traversal sequences like "../". This unsanitized path is then passed directly to the unlink() system call, which deletes the specified file.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users to delete arbitrary files on the affected system.

The impact includes a high impact on confidentiality because important files could be deleted, potentially disrupting system integrity or exposing sensitive information indirectly.

The attack complexity is low, no user interaction is needed, and it requires limited privileges, making it easier for attackers with some access to cause damage.

Availability impact is low, meaning the system might remain operational but with potential loss or corruption of files.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated user exploiting directory traversal sequences in the remove ARCHIVE parameter of the /cgi-bin/backup.cgi script to delete arbitrary files. Detection can focus on monitoring HTTP requests to this endpoint for suspicious directory traversal patterns such as '../' in the remove ARCHIVE parameter.

Suggested commands to detect exploitation attempts include using web server logs or network traffic analysis tools to search for requests containing directory traversal sequences targeting /cgi-bin/backup.cgi.

• Using grep on web server logs to find suspicious requests: grep -i 'remove.*\.\./' /var/log/httpd/access_log
• Using tcpdump or Wireshark to filter HTTP requests to /cgi-bin/backup.cgi containing '../': tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/backup.cgi' | grep '\.\./'

Useful 0 Not Useful 0