CVE-2026-10066: Shibby Tomato Stack Buffer Overflow in UPS Service (RCE)
A stack-based buffer overflow vulnerability exists in Shibby Tomato firmware versions up to 1.28, specifically in the UPS Service component (tomatoups.cgi). An authenticated attacker with remote network access can trigger this flaw to potentially execute arbitrary code, compromise confidentiality and integrity, or cause denial of service. Notably, Shibby Tomato is no longer maintained; the project has been superseded by FreshTomato. Organizations still running unsupported Shibby Tomato instances face ongoing risk from this flaw without vendor patching.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the sub_9068 function within tomatoups.cgi, the UPS Service handler in Shibby Tomato. The flaw is a stack-based buffer overflow (CWE-119, CWE-121) triggered through improper input validation or bounds checking. An authenticated remote attacker can craft malicious requests to overflow the stack buffer, potentially overwriting return addresses or other critical stack data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network accessibility, low attack complexity, and requirement for valid credentials—but once authenticated, full system compromise (confidentiality, integrity, availability) is possible.
Business impact
Organizations running Shibby Tomato are exposed to authenticated remote code execution. If an internal attacker or compromised account gains access, they can pivot to full system compromise of the router or network appliance. Data exfiltration, malware persistence, network surveillance, and lateral movement become feasible. For businesses relying on older Shibby Tomato deployments, the absence of vendor support means no security patches will be released, creating indefinite exposure unless systems are decommissioned or migrated.
Affected systems
Shibby Tomato versions up to and including 1.28 are affected. Shibby Tomato is a third-party firmware build for consumer routers and network appliances; it is no longer maintained by its original developer. Systems still running this firmware and exposing the UPS Service interface remotely or to untrusted network segments are at risk. The project has been superseded by FreshTomato, which may or may not have the same vulnerability depending on its codebase trajectory.
Exploitability
Exploitation requires authentication; an attacker must possess or obtain valid credentials to access the UPS Service interface. The attack vector is network-based with low complexity once credentials are obtained. Given the end-of-life status of Shibby Tomato and general awareness of this flaw, the risk is elevated in environments where credential theft, insider threats, or lateral movement is plausible. However, the authentication requirement prevents unauthenticated remote exploitation from the internet.
Remediation
The primary remediation is to migrate away from unsupported Shibby Tomato firmware. Organizations should evaluate FreshTomato or other actively maintained firmware alternatives for their devices. If immediate migration is infeasible, network segmentation to restrict access to the UPS Service and router management interfaces is essential. Disable or limit remote access to administrative functions and implement strict access control lists (ACLs) to trusted internal networks only.
Patch guidance
No patches will be released for Shibby Tomato, as the project is no longer supported. Verify your current firmware version and compare it against version 1.28. If you are running 1.28 or earlier, you are affected. Review FreshTomato's advisory and release notes to determine whether it has addressed this same code path. If migrating to FreshTomato, follow the vendor's upgrade guidance carefully to avoid bricking devices. For devices that cannot be upgraded, document their use case and implement compensating network controls.
Detection guidance
Monitor for unusual requests to tomatoups.cgi, particularly those with abnormally long or malformed parameters that might trigger buffer overflows. Review access logs for the UPS Service interface; normal operation should involve minimal traffic from expected internal sources. Intrusion detection systems (IDS) tuned for stack-overflow patterns may detect exploit attempts. Additionally, monitor for unexpected process spawning or privilege escalation on affected devices following suspicious requests.
Why prioritize this
Despite the authentication requirement, this vulnerability warrants prompt attention because: (1) it enables remote code execution with full system compromise, (2) Shibby Tomato is unmaintained and no fixes will ever arrive, (3) many legacy deployments may persist in enterprise or small-business environments due to cost or inertia, and (4) internal attackers or compromised low-privilege accounts can easily escalate via this flaw. Organizations should prioritize identifying and decommissioning affected systems.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects full confidentiality, integrity, and availability impact accessible to an authenticated attacker over the network. While authentication prevents opportunistic internet-wide attacks, the flaw's presence in unmaintained, possibly long-forgotten devices creates persistent risk within networks. The high score appropriately captures that, once an attacker clears the authentication hurdle (via credential theft, insider access, or lateral movement), system compromise is virtually guaranteed.
Frequently asked questions
If I am running Shibby Tomato, am I definitely vulnerable?
If you are running version 1.28 or earlier and the UPS Service (tomatoups.cgi) is enabled and reachable, you are vulnerable. Check your firmware version in the router's web interface. However, if the UPS Service is not used or is disabled, and the interface is not accessible to potential attackers, your exposure is reduced—though not eliminated if an authenticated attacker can enable it.
What is the difference between Shibby Tomato and FreshTomato?
Shibby Tomato was a community firmware project that is no longer maintained. FreshTomato is a continuation that incorporates newer patches and improvements. If you migrate to FreshTomato, you will receive security updates and bug fixes. However, verify FreshTomato's security advisories to confirm whether this specific vulnerability was addressed in their codebase before upgrading.
Do I need authentication to exploit this vulnerability?
Yes. The vulnerability requires valid credentials (username and password) to access the UPS Service interface on the router. This means Internet-facing routers are somewhat protected from anonymous attackers, but internal threats, credential theft, or lateral movement from compromised devices can still lead to exploitation.
What should I do if I cannot immediately replace my Shibby Tomato device?
Implement network segmentation to restrict access to the router's management interface and UPS Service to trusted internal networks only. Disable remote administration. Use strong, unique credentials. Monitor access logs for suspicious activity. Document the device's use case and create a timeline for replacement or upgrade. Schedule a migration project with defined milestones rather than leaving the device in an indefinite at-risk state.
This analysis is provided for informational purposes and reflects the publicly available vulnerability data as of the publication date. No exploit code or weaponized proof-of-concept is provided. Organizations must verify their specific product versions, patch status, and network exposure independently. Shibby Tomato is no longer maintained by its original developers; consult FreshTomato documentation and security advisories for current alternatives. This assessment does not constitute legal or regulatory advice. Security leaders should validate all findings against their own threat modeling and business context before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow
- CVE-2026-10122HIGHTRENDnet TEW-432BRP Stack Buffer Overflow – End-of-Life Router Vulnerability