HIGH 8.8

CVE-2026-10067: Shibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi

Shibby Tomato version 1.28 contains a stack-based buffer overflow vulnerability in the multimon.cgi component that allows authenticated attackers to execute arbitrary code remotely. The vulnerability exists in the sub_90F0 function and can be triggered through network requests without user interaction. Since Shibby Tomato is no longer maintained and has been superseded by FreshTomato, patches are not available from the original maintainers.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10067 is a stack-based buffer overflow (CWE-119, CWE-121) in the sub_90F0 function of multimon.cgi in Shibby Tomato 1.28. The vulnerability requires authentication (PR:L) but operates over the network (AV:N) with low complexity (AC:L). Successful exploitation results in high impact across confidentiality, integrity, and availability. The attack does not require user interaction (UI:N) and does not depend on privilege escalation across security boundaries (S:U).

Business impact

Organizations running Shibby Tomato 1.28 face significant risk, as authenticated attackers can gain complete control of the device, potentially leading to data exfiltration, service disruption, or lateral network movement. Since the product is unsupported, no security patches will be released. This creates a persistent exposure for any deployment that has not migrated to FreshTomato or an alternative solution.

Affected systems

Shibby Tomato version 1.28 is affected. The product is no longer maintained by its original developers. FreshTomato supersedes this project and should be verified for vulnerability status independently. Any router or embedded device running Shibby Tomato 1.28 is in scope.

Exploitability

The vulnerability is exploitable by authenticated users with network access. While authentication is required, many deployments may have weak credential hygiene or exposed management interfaces. The low complexity (AC:L) and absence of user interaction (UI:N) make exploitation straightforward once credentials are obtained. This is not currently tracked in the CISA Known Exploited Vulnerabilities catalog.

Remediation

Immediate options are limited due to lack of vendor support. Organizations should prioritize migrating to FreshTomato or discontinuing use of Shibby Tomato 1.28. For devices that cannot be immediately replaced, implement network segmentation to restrict access to management interfaces, enforce strong authentication, and monitor for suspicious activity on affected systems.

Patch guidance

No patches are available from the original Shibby Tomato maintainers, as the project is no longer supported. Review the FreshTomato project documentation to determine if a migration path exists and whether FreshTomato addresses this vulnerability. Verify the security status of FreshTomato through its own advisory channels before deployment.

Detection guidance

Monitor multimon.cgi access logs for unusual patterns, especially authentication followed by abnormal requests. Stack-based buffer overflow attempts may appear as unusually long or malformed parameters in HTTP requests to multimon.cgi. Implement intrusion detection signatures targeting CWE-119/CWE-121 buffer overflow patterns on network interfaces where Shibby Tomato devices are accessible. Check for unauthorized command execution or unexpected process spawning on affected devices.

Why prioritize this

This vulnerability scores HIGH (CVSS 8.8) due to high impact across confidentiality, integrity, and availability combined with low-complexity remote exploitation requiring only authentication. The criticality is tempered by the fact that Shibby Tomato is unsupported legacy software, meaning affected organizations have already moved to alternatives or are accepting elevated risk. However, any remaining deployments warrant urgent attention.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects remote network-accessible exploitation (AV:N) with low attack complexity (AC:L), requiring valid credentials (PR:L) but no user interaction (UI:N). The impact is complete across confidentiality, integrity, and availability (C:H/I:H/A:H). The primary mitigating factor is that the software is unsupported and legacy, limiting the population of affected devices.

Frequently asked questions

Can I simply disable multimon.cgi or restrict access to it?

Yes. If you must continue running Shibby Tomato 1.28, disabling or blocking access to multimon.cgi at the network or firewall level will prevent exploitation. However, this may disable legitimate monitoring features. A comprehensive security review and migration plan should still be pursued.

Is FreshTomato protected against this vulnerability?

FreshTomato is a separate project that supersedes Shibby Tomato. You must verify its security status through FreshTomato's own advisory channels and release notes. Do not assume it is vulnerable or patched without confirmation from FreshTomato maintainers.

What if I cannot migrate immediately?

Implement compensating controls: enforce strong authentication on management interfaces, restrict network access using firewall rules, monitor for exploitation attempts, and prioritize migration in your next maintenance window. Consider the device end-of-life in your asset planning.

How do I know if my device is vulnerable?

Check your device's firmware version. Shibby Tomato version 1.28 is affected. If you are running Shibby Tomato (rather than FreshTomato or another alternative), verify the exact version number in the device's web interface or SSH banner, then plan accordingly.

This analysis is provided for informational purposes and does not constitute professional security advice. CVE-2026-10067 affects unsupported software; verify all remediation steps against official vendor advisory sources. No exploit code or weaponized proof-of-concepts are provided. Readers should verify patch availability and compatibility within their own environments and consult vendor documentation before taking any action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).