CVE-2026-10067: Shibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
Shibby Tomato version 1.28 contains a stack-based buffer overflow vulnerability in the multimon.cgi component that allows authenticated attackers to execute arbitrary code remotely. The vulnerability exists in the sub_90F0 function and can be triggered through network requests without user interaction. Since Shibby Tomato is no longer maintained and has been superseded by FreshTomato, patches are not available from the original maintainers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10067 is a stack-based buffer overflow (CWE-119, CWE-121) in the sub_90F0 function of multimon.cgi in Shibby Tomato 1.28. The vulnerability requires authentication (PR:L) but operates over the network (AV:N) with low complexity (AC:L). Successful exploitation results in high impact across confidentiality, integrity, and availability. The attack does not require user interaction (UI:N) and does not depend on privilege escalation across security boundaries (S:U).
Business impact
Organizations running Shibby Tomato 1.28 face significant risk, as authenticated attackers can gain complete control of the device, potentially leading to data exfiltration, service disruption, or lateral network movement. Since the product is unsupported, no security patches will be released. This creates a persistent exposure for any deployment that has not migrated to FreshTomato or an alternative solution.
Affected systems
Shibby Tomato version 1.28 is affected. The product is no longer maintained by its original developers. FreshTomato supersedes this project and should be verified for vulnerability status independently. Any router or embedded device running Shibby Tomato 1.28 is in scope.
Exploitability
The vulnerability is exploitable by authenticated users with network access. While authentication is required, many deployments may have weak credential hygiene or exposed management interfaces. The low complexity (AC:L) and absence of user interaction (UI:N) make exploitation straightforward once credentials are obtained. This is not currently tracked in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Immediate options are limited due to lack of vendor support. Organizations should prioritize migrating to FreshTomato or discontinuing use of Shibby Tomato 1.28. For devices that cannot be immediately replaced, implement network segmentation to restrict access to management interfaces, enforce strong authentication, and monitor for suspicious activity on affected systems.
Patch guidance
No patches are available from the original Shibby Tomato maintainers, as the project is no longer supported. Review the FreshTomato project documentation to determine if a migration path exists and whether FreshTomato addresses this vulnerability. Verify the security status of FreshTomato through its own advisory channels before deployment.
Detection guidance
Monitor multimon.cgi access logs for unusual patterns, especially authentication followed by abnormal requests. Stack-based buffer overflow attempts may appear as unusually long or malformed parameters in HTTP requests to multimon.cgi. Implement intrusion detection signatures targeting CWE-119/CWE-121 buffer overflow patterns on network interfaces where Shibby Tomato devices are accessible. Check for unauthorized command execution or unexpected process spawning on affected devices.
Why prioritize this
This vulnerability scores HIGH (CVSS 8.8) due to high impact across confidentiality, integrity, and availability combined with low-complexity remote exploitation requiring only authentication. The criticality is tempered by the fact that Shibby Tomato is unsupported legacy software, meaning affected organizations have already moved to alternatives or are accepting elevated risk. However, any remaining deployments warrant urgent attention.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects remote network-accessible exploitation (AV:N) with low attack complexity (AC:L), requiring valid credentials (PR:L) but no user interaction (UI:N). The impact is complete across confidentiality, integrity, and availability (C:H/I:H/A:H). The primary mitigating factor is that the software is unsupported and legacy, limiting the population of affected devices.
Frequently asked questions
Can I simply disable multimon.cgi or restrict access to it?
Yes. If you must continue running Shibby Tomato 1.28, disabling or blocking access to multimon.cgi at the network or firewall level will prevent exploitation. However, this may disable legitimate monitoring features. A comprehensive security review and migration plan should still be pursued.
Is FreshTomato protected against this vulnerability?
FreshTomato is a separate project that supersedes Shibby Tomato. You must verify its security status through FreshTomato's own advisory channels and release notes. Do not assume it is vulnerable or patched without confirmation from FreshTomato maintainers.
What if I cannot migrate immediately?
Implement compensating controls: enforce strong authentication on management interfaces, restrict network access using firewall rules, monitor for exploitation attempts, and prioritize migration in your next maintenance window. Consider the device end-of-life in your asset planning.
How do I know if my device is vulnerable?
Check your device's firmware version. Shibby Tomato version 1.28 is affected. If you are running Shibby Tomato (rather than FreshTomato or another alternative), verify the exact version number in the device's web interface or SSH banner, then plan accordingly.
This analysis is provided for informational purposes and does not constitute professional security advice. CVE-2026-10067 affects unsupported software; verify all remediation steps against official vendor advisory sources. No exploit code or weaponized proof-of-concepts are provided. Readers should verify patch availability and compatibility within their own environments and consult vendor documentation before taking any action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow
- CVE-2026-10122HIGHTRENDnet TEW-432BRP Stack Buffer Overflow – End-of-Life Router Vulnerability