CVE-2026-10870: Shibby Tomato 1.28.0000 OS Command Injection Vulnerability
Shibby Tomato version 1.28.0000 contains a command injection vulnerability in its web-based configuration interface that allows authenticated administrators to execute arbitrary operating system commands on the router. An attacker with administrative access can manipulate the DHCP client startup function to inject malicious commands, potentially compromising the entire device and any network it serves. Exploit code has been published publicly, increasing the risk of opportunistic attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-77, CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10870 is an OS command injection flaw in the start_dhcpc function within /sbin/rc, a critical component of Shibby Tomato's web UI. The vulnerability stems from insufficient input sanitization when processing DHCP configuration parameters. An authenticated attacker can inject shell metacharacters into function parameters, causing the shell interpreter to execute arbitrary commands with root-level privileges. The attack vector is network-based, requires high privileges (administrative credentials), and has no user interaction requirement. Both CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (OS Command Injection) classifications apply.
Business impact
Compromise of a Shibby Tomato router exposes both the device and downstream network to significant risk. An attacker gaining command execution can establish persistence, intercept traffic, modify DNS settings, deploy malware, or pivot to connected clients. For small office or SOHO deployments relying on Tomato-based routers, this could result in complete network compromise. Given that Shibby Tomato is a community fork of an older project and no longer under active development (superseded by FreshTomato), many instances may remain unpatched indefinitely, creating a persistent attack surface.
Affected systems
Shibby Tomato version 1.28.0000 is confirmed vulnerable. The Shibby Tomato project has been superseded by FreshTomato, which should be verified independently for patching status and exposure. Any router or embedded system running the vulnerable Shibby Tomato build is at risk. Organizations should audit their infrastructure for instances of this firmware, particularly in network edge devices, access points, or lab environments where custom router firmware may be deployed.
Exploitability
Exploitation requires valid administrative credentials to access the web UI, which raises the attack prerequisite bar compared to unauthenticated flaws. However, the presence of published exploit code, combined with the network-accessible attack surface and the prevalence of weak default credentials in home and small business routers, significantly elevates practical exploitability. An attacker who gains or already possesses admin credentials can reliably execute code without user interaction. The straightforward nature of command injection suggests reliable, repeatable exploitation.
Remediation
Immediate action is to discontinue use of Shibby Tomato 1.28.0000 if it remains deployed. The Shibby Tomato project is no longer maintained; the successor project FreshTomato should be evaluated and deployed as a replacement. Organizations should verify whether FreshTomato addresses this vulnerability before migration. For devices where upgrading is not immediately possible, restrict administrative access to trusted networks only, disable remote management, and implement network-level controls to limit lateral movement from a compromised router. Change default administrative credentials and disable any unnecessary services.
Patch guidance
No patch is available for Shibby Tomato 1.28.0000, as the project is superseded and no longer receives updates. Organizations should migrate to FreshTomato and verify through the FreshTomato project documentation that the vulnerability has been remediated in the target version. Consult FreshTomato's official release notes and security advisories to confirm patch versions address CVE-2026-10870. Test any firmware update in a non-production environment before deployment to production routers.
Detection guidance
Network-level detection is limited but should focus on monitoring administrative access to router web interfaces for anomalous activity or failed login attempts. System-level detection on the router itself is challenging without specialized logging. Organizations should enable access logs on web-based management interfaces if available, monitor for suspicious command patterns in syslog or shell history if accessible, and watch for unexpected process execution or child processes spawned from rc or web UI daemons. Intrusion detection signatures targeting command injection payloads in HTTP requests to Tomato web UI endpoints may catch exploitation attempts.
Why prioritize this
Although the CVSS score is 7.2 (HIGH), prioritization must account for the authentication requirement and the limited scope of Shibby Tomato deployment relative to mainstream router firmware. However, the project's end-of-life status, the availability of published exploits, and the likelihood of long-term non-patched deployments warrant urgent remediation within affected environments. Organizations running Shibby Tomato should treat this as critical within their own risk context, even if it does not rank as critical industry-wide.
Risk score, explained
The CVSS 3.1 score of 7.2 reflects a HIGH severity rating driven by high confidentiality, integrity, and availability impact (root-level command execution) tempered by the requirement for high privilege level (authenticated admin access). The network attack vector and low complexity further support the score. This assessment assumes the attacker already possesses or can obtain administrative credentials; the practical risk is elevated where default credentials remain unchanged or where credential compromise is plausible.
Frequently asked questions
Does this affect FreshTomato?
FreshTomato is the successor to Shibby Tomato. You should consult FreshTomato's official security advisories and release notes to determine whether FreshTomato versions are affected or have been patched. Do not assume that simply upgrading to FreshTomato resolves the issue without verification.
Can this be exploited without administrative access?
No. CVE-2026-10870 requires high privilege level (administrative credentials) to exploit. An unauthenticated attacker cannot trigger this vulnerability. However, default credentials, weak passwords, or compromised admin accounts are a realistic attack pathway in practice.
What should I do if I cannot upgrade immediately?
Isolate administrative access to trusted networks via firewall rules, disable remote web UI access if not required, change default credentials immediately, disable UPnP and other unnecessary services, and monitor access logs closely. These are temporary mitigations while you plan migration to a maintained firmware version.
Is there a publicly available exploit?
Yes, exploit code has been published. This does not mean weaponized attacks are widespread, but it lowers the technical barrier to exploitation and should accelerate your remediation timeline. Assume that skilled attackers or security researchers may be actively testing this vulnerability.
This analysis is provided for informational and educational purposes to support vulnerability management and risk assessment. The vulnerability data and CVSS score are derived from published CVE records and vendor advisories current as of the analysis date. No exploit code, proof-of-concept payloads, or detailed weaponization guidance are provided herein. Organizations must independently verify all patch versions, firmware builds, and security claims against official vendor documentation before deploying mitigations. SEC.co makes no warranty that this analysis is complete, error-free, or suitable for any specific purpose; use it at your own risk and in conjunction with vendor guidance and internal security review. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler
- CVE-2026-10871HIGHShibby Tomato Remote Command Injection via IPv6 6rd Parameter
- CVE-2026-10872HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10873HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10279MEDIUMOS Command Injection in wezterm-mcp 0.1.0
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows