HIGH 7.2

CVE-2026-10871: Shibby Tomato Remote Command Injection via IPv6 6rd Parameter

Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the start_6rd_tunnel function within /sbin/rc, which processes the ipv6_6rd_borderrelay parameter without proper input validation or sanitization. This parameter flows directly into an OS command context, allowing injection of shell metacharacters and commands. The attack requires high-privilege authentication (PR:H in CVSS terms), meaning an attacker must first gain admin-level access to the Web UI. Once authenticated, command injection becomes trivial to execute remotely over the network. The underlying weakness is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (OS Command Injection).

Business impact

Organizations running Shibby Tomato 1.28.0000 face potential compromise of router functionality and the underlying system. A malicious administrator or an attacker who has compromised admin credentials can execute arbitrary commands, potentially leading to data interception, configuration manipulation, network traffic redirection, or use of the device as a pivot point for lateral movement. Given that Tomato is commonly used in SMB and home lab environments, the impact scales with deployment breadth; each affected router represents a point of entry into a network perimeter.

Affected systems

Shibby Tomato 1.28.0000 is the confirmed affected version. Note that this project is superseded by FreshTomato; organizations should verify whether they are running legacy Shibby Tomato instances or have migrated to FreshTomato. Third-party firmware distributions based on Shibby Tomato from that era may also be vulnerable if they have not back-ported security fixes.

Exploitability

Although the exploit has been publicly disclosed, the attack requires high-privilege access to the Web UI. This substantially limits real-world exploitability in a cold-start scenario, but significantly raises risk for organizations where admin credentials have been compromised, leaked, or shared among multiple personnel. The low attack complexity (AC:L) and network vector (AV:N) indicate that once an attacker has credentials, exploitation requires minimal effort and no special tooling. The public disclosure and lack of KEV status suggest this vulnerability may not yet be actively weaponized at scale, but that status could change.

Remediation

Users of Shibby Tomato 1.28.0000 should immediately upgrade to a patched version. Since Shibby Tomato is superseded by FreshTomato, migration to FreshTomato is the recommended long-term path. If running other Tomato forks or third-party distributions, consult the vendor for patch availability. Until patched, enforce strict access controls on Web UI admin ports, restrict management interfaces to trusted networks, and rotate admin credentials.

Patch guidance

Verify the latest available version from the official Shibby Tomato or FreshTomato project repositories. Apply the most recent stable release that addresses this vulnerability. If you are on a Tomato fork or third-party distribution, check with your vendor for patch status and timeline. Test patches in a non-production environment before deployment, particularly on edge routers, to confirm no configuration regressions occur.

Detection guidance

Monitor Web UI access logs for unusual authentication patterns or repeated admin logins from unexpected sources. Look for suspicious parameter values in requests to /sbin/rc, especially those containing shell metacharacters or command separators (;, |, &, `, $(), backticks) in the ipv6_6rd_borderrelay field. Network-based detection should flag HTTP/HTTPS requests with encoded command injection payloads targeting the IPv6 configuration endpoints. Monitor process execution on the router for unexpected child processes spawned by the rc service.

Why prioritize this

Although CVSS 7.2 (HIGH) is not in the critical range, the public exploit disclosure, direct OS command injection, and the internet-facing nature of many router deployments warrant prompt attention. The high-privilege requirement provides some defense-in-depth, but compromised or weak admin credentials are common in small-to-medium deployments. The lack of active KEV status is likely temporary given the public disclosure; prioritize patching before active weaponization occurs.

Risk score, explained

CVSS 3.1 score of 7.2 reflects HIGH severity due to the combination of confidentiality, integrity, and availability impact (all High), low attack complexity, and network accessibility. The score is tempered by the PR:H requirement, which restricts the attack surface to authenticated administrators. The score does not account for widespread deployment of Shibby Tomato in unmanaged environments, where credential compromise or default/weak passwords are more likely; organizations should factor that context into their internal risk assessment.

Frequently asked questions

Is this vulnerability actively being exploited in the wild?

The vulnerability has been publicly disclosed, but it is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. This does not guarantee absence of exploitation; it indicates that as of the last update, public reports of active exploitation campaigns were not yet confirmed. Organizations should assume exploitation may occur and should prioritize patching.

Our organization runs Shibby Tomato on internal routers, not internet-facing. Should we still patch?

Yes. Threat actors often gain initial foothold via compromised credentials, phishing, or lateral movement from other segments. An unpatched router with weak or shared admin credentials becomes a privileged pivot point. Additionally, many organizations underestimate the exposure of 'internal' management interfaces to trusted-but-compromised staff or guests.

What is the relationship between Shibby Tomato and FreshTomato?

FreshTomato is the active successor project to Shibby Tomato. Shibby Tomato development has ceased. If you are on Shibby Tomato 1.28.0000, the long-term remediation is to migrate to FreshTomato, which continues to receive security updates. Verify that FreshTomato addresses this vulnerability before migrating.

How can I check if my router is vulnerable?

Log into your Tomato Web UI and navigate to the System Information or Status page to confirm your firmware version. If it shows Shibby Tomato 1.28.0000, you are affected. Check the About page or run 'uname -a' on the SSH console if available. Do not attempt to test the vulnerability directly; instead, plan an upgrade.

This analysis is provided for informational purposes to assist security leaders in vulnerability prioritization and remediation planning. The information herein is based on the publicly available CVE record as of the publication date. Organizations should verify all patch versions, compatibility, and deployment timelines against the vendor advisory and their own infrastructure. SEC.co makes no warranty regarding the completeness or timeliness of this analysis and assumes no liability for decisions made based on this content. Always test patches in non-production environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).