HIGH 7.5

CVE-2026-10069: Shibby Tomato miniupnpd Resource Exhaustion Vulnerability

A denial-of-service vulnerability exists in Shibby Tomato 1.28's miniupnpd service that allows unauthenticated attackers to exhaust system resources remotely. The flaw resides in an unspecified function within the UPnP daemon and can be triggered without special privileges or user interaction. While Shibby Tomato is no longer maintained (superseded by FreshTomato), organizations still running this legacy firmware remain at risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400, CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10069 is a resource-exhaustion vulnerability affecting the miniupnpd daemon in Shibby Tomato 1.28. The vulnerability combines improper input validation (CWE-400: Uncontrolled Resource Consumption) and potential resource-handling flaws (CWE-404: Improper Resource Validation) to enable remote denial of service. The attack vector is network-based with low complexity, no authentication required, and no user interaction needed. The impact is strictly availability; confidentiality and integrity are not affected. The CVSS 3.1 score of 7.5 reflects the high availability impact balanced against the limited attack surface.

Business impact

Organizations operating legacy Shibby Tomato-based routers or network appliances face service disruption if attackers trigger excessive resource consumption in miniupnpd. Affected systems may become unresponsive or require manual restart. The risk is compounded by the fact that Shibby Tomato is unsupported; no patches will be released. Businesses still relying on this firmware must choose between accepting operational risk or migrating to FreshTomato or alternative solutions.

Affected systems

Shibby Tomato version 1.28 and earlier releases are affected. This custom router firmware distribution is community-maintained and has been superseded by FreshTomato. The vulnerability specifically impacts the miniupnpd service (usr/sbin/miniupnpd), which handles UPnP protocol operations. Organizations using Shibby Tomato in production—whether on MIPS-based routers, ARM devices, or x86 systems—are in scope.

Exploitability

The vulnerability is easily exploitable. No authentication is required, attack complexity is low, and exploitation can occur over the network without any user interaction. An attacker can craft UPnP protocol messages or network requests to trigger resource exhaustion in miniupnpd. The remote attack surface is broad; any system exposing miniupnpd to untrusted networks is vulnerable. However, real-world impact depends on deployment context: miniupnpd instances isolated to LAN segments are lower risk than those accessible from the internet.

Remediation

Immediate patching is not an option since Shibby Tomato is no longer supported. The recommended path forward is migration to FreshTomato, an actively maintained fork that addresses known issues including this vulnerability. Organizations unable to migrate immediately should implement network controls to restrict UPnP traffic, disable miniupnpd if it is not required, and isolate affected devices to trusted network segments only. Verify FreshTomato release notes to confirm this issue is resolved before upgrading.

Patch guidance

No patch is available from Shibby Tomato maintainers. FreshTomato, the successor project, may have addressed this issue; verify the FreshTomato release notes and changelog for your target version to confirm coverage of CVE-2026-10069 before deployment. If upgrading to FreshTomato is not feasible, consult your router manufacturer or device vendor for alternative firmware options that support your hardware. Test any firmware update in a non-production environment first.

Detection guidance

Monitor for abnormal miniupnpd process behavior, including sustained high CPU usage, excessive memory consumption, or repeated process restarts. Network-based detection may identify malformed UPnP requests or unusual packet volumes targeting UPnP ports (typically UDP 1900 and TCP 5000). Enable logging on affected routers if supported. Inspect network traffic between internal devices and external UPnP services for anomalies. Consider disabling UPnP entirely if not required and verify via device configuration that miniupnpd is not running unnecessary listeners.

Why prioritize this

Despite the unsupported status of Shibby Tomato, this vulnerability merits immediate assessment within any organization still running the firmware. The CVSS 7.5 score and low exploitability bar mean that risk is real and attack difficulty is minimal. The complete lack of vendor support eliminates the typical remediation path and forces architectural decisions about migration or isolation. Prioritize identification of all Shibby Tomato instances in your environment, then execute a migration or containment plan without delay.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a high-impact denial-of-service attack that can be launched remotely by any unauthenticated attacker with network connectivity. The low attack complexity and lack of user interaction requirements elevate the score. However, the score does not account for exploitability trends or real-world prevalence; unsupported software typically presents compounded risk due to the absence of vendor patches and community attention. Organizations should treat this as a critical infrastructure concern.

Frequently asked questions

Is there a patch available for Shibby Tomato 1.28?

No. Shibby Tomato is no longer maintained by its creators. The project has been superseded by FreshTomato, an actively developed fork. You must migrate to FreshTomato or another supported firmware distribution to obtain a fix.

What is FreshTomato and how do I know if it addresses this vulnerability?

FreshTomato is a community-maintained continuation of Shibby Tomato that receives regular updates and security fixes. Before upgrading, review the FreshTomato changelog and release notes for your target version to confirm that CVE-2026-10069 is addressed. Verify hardware compatibility with your router model.

Can I just disable miniupnpd instead of upgrading?

Yes, disabling miniupnpd is a valid short-term mitigation if your network does not require UPnP functionality. Log into your router's web interface, navigate to the UPnP configuration section, and disable the service. This eliminates the attack surface while you plan a longer-term migration strategy.

How do I know if my router is running Shibby Tomato?

Check your router's web interface (usually 192.168.1.1) and look at the System or About page. The firmware name and version will be listed. If you see 'Shibby Tomato' in the name, you are affected. Router administration interfaces vary; consult your specific model's documentation.

This analysis is based on publicly disclosed vulnerability information current as of the publication date. SEC.co provides this information for informational purposes to assist with vulnerability assessment and risk management. Readers should validate all findings against official vendor documentation, release notes, and security advisories before making remediation decisions. This page does not constitute professional security advice. Organizations should conduct their own risk assessments and consult with qualified security professionals regarding deployment and patching strategies specific to their environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).