Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Stack-based buffer overflow in Shibby Tomato router firmware (versions up to 1.28) allows authenticated remote attackers to corrupt memory in the UPS Service CGI handler, potentially leading to code execution or device compromise. The flaw resides in function sub_9068 of tomatoups.cgi and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis. Critically, this project is end-of-life - superseded by FreshTomato - so no vendor patch will be issued.
Technical ContextAI
Shibby Tomato is a community fork of the Tomato router firmware (a Linux-based replacement firmware for consumer routers, originally derived from HyperWRT). The vulnerable component is tomatoups.cgi, a CGI binary that implements the UPS (Uninterruptible Power Supply) monitoring service exposed through the router's web administration interface. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) covers the root cause class: the sub_9068 function performs an unsafe write to a fixed-size stack buffer without adequate bounds checking, allowing adjacent stack frame data - including saved return addresses - to be overwritten. On embedded MIPS/ARM router platforms typically running Tomato, classical stack smashing exploitation is often feasible because such firmware historically ships without modern mitigations like stack canaries, ASLR, or non-executable stacks.
RemediationAI
No vendor-released patch identified at time of analysis - Shibby Tomato is abandoned and the maintainer will not issue fixes. The primary remediation is to migrate affected routers to the actively maintained FreshTomato fork (https://freshtomato.org), which carries forward the Tomato lineage with ongoing security maintenance; verify after flashing that the equivalent tomatoups.cgi handler has been patched or the UPS feature is absent. As compensating controls pending migration, disable the UPS service in the router's administrative interface if not actively used (trade-off: loss of UPS monitoring/shutdown integration), restrict the web admin interface to a trusted management VLAN or specific LAN IPs via the router's firewall (trade-off: requires console/SSH for emergency access from other networks), block WAN-side access to the admin port entirely if exposed, and rotate the admin password to a strong unique value to raise the bar against the PR:L authentication prerequisite. Reference: https://vuldb.com/vuln/367152.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33341
GHSA-5f6x-gjgm-pqx4