HIGH 7.2

CVE-2026-10872: OS Command Injection in Shibby Tomato 1.28.0000 Web UI

Shibby Tomato 1.28.0000 contains a vulnerability in the Web UI component that allows authenticated users with high-level privileges to inject operating system commands through the VPN server startup function. An attacker with administrative access could manipulate input parameters to execute arbitrary commands on the device, potentially compromising the entire router system. Public exploit information exists for this vulnerability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10872 is an OS command injection vulnerability (CWE-77, CWE-78) located in the start_vpnserver function within the /sbin/rc file, which handles Web UI operations in Shibby Tomato 1.28.0000. The vulnerability stems from insufficient input validation on user-supplied parameters that are passed to system commands without proper sanitization. An attacker must have high-level administrative privileges (PR:H) to trigger the flaw, but once exploited, can achieve unauthenticated code execution with full system permissions. The attack vector is network-based with low attack complexity.

Business impact

Successful exploitation enables complete compromise of affected routers. An administrator account (or attacker with stolen admin credentials) could execute arbitrary system commands, leading to data theft from devices behind the router, network traffic interception, lateral movement into connected networks, persistent backdoor installation, and device takeover. For organizations deploying Shibby Tomato in edge or branch office scenarios, this could create a critical network ingress point for attackers.

Affected systems

Shibby Tomato version 1.28.0000 is confirmed vulnerable. The project has been superseded by FreshTomato; users should verify whether FreshTomato versions contain similar code paths or have addressed this class of injection flaw. Organizations running legacy Shibby Tomato deployments—particularly in network appliance, routing, or edge computing roles—require immediate assessment.

Exploitability

The vulnerability carries a CVSS 3.1 score of 7.2 (HIGH) with a network attack vector and low attack complexity. The requirement for high-privilege administrative access (PR:H) restricts the initial attack surface, but public exploit information exists, lowering the technical barrier for actors who gain administrative credentials through phishing, social engineering, or credential compromise. The lack of user interaction required (UI:N) means automated exploitation is feasible once authentication is achieved.

Remediation

Shibby Tomato 1.28.0000 users should immediately cease use of this firmware and migrate to FreshTomato, the successor project. Verify that FreshTomato's current build does not inherit this vulnerability or similar input-validation weaknesses in the VPN server initialization code. Until migration is complete, restrict administrative access to the Web UI to trusted networks only, implement strong authentication controls, and monitor for suspicious command execution in system logs.

Patch guidance

No patch is available for Shibby Tomato 1.28.0000 because the project is no longer actively maintained. The only supported remediation is migration to FreshTomato. Download the latest stable FreshTomato release from the official repository and perform a clean flash. Verify the integrity of the firmware image using published checksums. After upgrade, reconfigure VPN settings and reset administrative credentials.

Detection guidance

Monitor Web UI access logs and process execution logs for suspicious patterns: unusual VPN server restart commands initiated through the Web UI, shell metacharacters (pipes, semicolons, backticks, command substitution syntax) in HTTP request parameters destined for the /sbin/rc handler, and unexpected system commands spawned by the Web UI process. Implement network segmentation to restrict administrative access to trusted subnets. Review authentication logs for successful admin logins from unexpected sources.

Why prioritize this

Despite the high CVSS score and public exploit availability, the requirement for high-privilege authentication limits this to organizations where Shibby Tomato is deployed in restricted administrative environments or where credential compromise is a real risk. However, because the project is unmaintained and the attack surface includes the Web UI (often accessible on local networks), this should be treated as urgent for any remaining deployments. The HIGH severity rating, combined with the imminent availability of weaponized proof-of-concept code, justifies rapid decommissioning of affected firmware.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH) reflects: (1) network-accessible attack vector; (2) low attack complexity, meaning no special tools or advanced knowledge required; (3) high-privilege requirement, reducing immediate risk from unauthenticated attackers; and (4) high impact across confidentiality, integrity, and availability—full system compromise is possible. The availability of public exploits and the unmaintained status of the project elevate real-world risk beyond the base CVSS score.

Frequently asked questions

Is this vulnerability exploitable without administrative credentials?

No. The vulnerability requires high-level administrative access to the Web UI. However, if an attacker gains administrative credentials through phishing or credential stuffing, they can immediately exploit this flaw to execute system commands.

Should we migrate from Shibby Tomato to FreshTomato?

Yes, immediately. Shibby Tomato is no longer maintained. FreshTomato is the active successor project and is recommended for all users. Verify the latest FreshTomato release notes to confirm this specific vulnerability is not present.

Can we patch Shibby Tomato 1.28.0000 ourselves?

Patching is technically possible if you have firmware development expertise, but not recommended. The project lacks official support, and custom patches introduce maintenance debt. Migrating to FreshTomato is the safer, supported path.

What should we do if we cannot migrate immediately?

Implement network-level controls: restrict Web UI access to a trusted management subnet using firewall rules, enforce strong and unique admin passwords, enable any available logging of Web UI commands, and monitor process execution logs for signs of exploitation. Plan your migration to FreshTomato urgently.

This analysis is based on published vulnerability data and CVSS scoring as of the publication date. CVSS scores are indicative risk estimates and should be contextualized with your organization's exposure, asset criticality, and threat landscape. Shibby Tomato is an unmaintained project; FreshTomato is the recommended successor but should be evaluated independently for your use case. Always verify patch applicability and test updates in non-production environments before deployment. SEC.co does not provide warranty regarding the completeness or accuracy of third-party vendor security advisories. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).