Skip to main content

Shibby Tomato CVE-2026-10870

| EUVD-2026-34323 HIGH
OS Command Injection (CWE-78)
2026-06-04 VulDB GHSA-pmrf-jcmc-23c7
Command Injection Tomato
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 04, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 21:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 21:22 NVD
7.2 (HIGH) 7.3 (HIGH)
Analysis Generated
Jun 04, 2026 - 21:15 vuln.today

DescriptionCVE.org

A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.

AnalysisAI

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_dhcpc function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists per the VulDB advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach Web UI over network
Delivery
Authenticate as administrator
Exploit
Submit malicious DHCP-client input
Install
Trigger start_dhcpc in /sbin/rc
C2
Inject shell metacharacters into command
Execute
Execute arbitrary commands as root
Impact
Persist on router and pivot to LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reach to the Shibby Tomato Web UI on a device running firmware 1.28.0000, (2) valid high-privilege (administrator) credentials to the Web UI as indicated by CVSS PR:H, and (3) the ability to submit input that flows into the start_dhcpc function in /sbin/rc - typically by manipulating DHCP-client-related configuration fields exposed through the management interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 7.3 reflects a network attack vector with low complexity but requires high privileges (PR:H), meaning the attacker must already hold administrative credentials on the router's Web UI to reach the vulnerable code path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or guessed administrator credentials for a Shibby Tomato 1.28.0000 router's Web UI submits a DHCP-client configuration value containing shell metacharacters; when /sbin/rc invokes start_dhcpc, the injected payload is executed with root privileges. Using the publicly available PoC on Gitee, the attacker installs a persistent backdoor, pivots to LAN-internal hosts, or reconfigures DNS/routing to intercept traffic.
Remediation No vendor-released patch identified at time of analysis - Shibby Tomato is a discontinued project superseded by FreshTomato, so administrators should migrate affected devices to FreshTomato (after independently verifying that FreshTomato has remediated the equivalent start_dhcpc code path) or replace the device with supported router firmware such as OpenWrt. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all Shibby Tomato 1.28.0000 devices in production; implement access controls and monitoring on administrative interfaces. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10870 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy