Which versions of Shibby Tomato are affected by CVE-2026-10872?

Organizations using end-of-life Shibby Tomato 1.28.0000 routers face critical risk: authenticated attackers with administrative credentials can inject arbitrary operating system commands through the…

Is there a public PoC exploit available for CVE-2026-10872?

Yes, a public proof-of-concept exploit is available for CVE-2026-10872. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-10872?

24 hours: Identify all Shibby Tomato 1.28.0000 deployments and restrict Web UI administrative access via firewall rules. 7 days: Evaluate migration timeline to FreshTomato (the successor firmware project) or alternative router solutions. 30 days: Complete migration to FreshTomato or alternative firmware, or implement additional network segmentation and access controls if migration extends beyond this date.

Shibby Tomato CVE-2026-10872

Q: What is the CVSS score of CVE-2026-10872?

CVE-2026-10872 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-34339 HIGH

OS Command Injection (CWE-78)

2026-06-04 VulDB

GHSA-f2p9-c2rc-cj7w

Command Injection Tomato

7.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.3 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 04, 2026 - 23:29 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 04, 2026 - 23:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 04, 2026 - 23:22 vuln.today

cvss_changed

CVSS changed

Jun 04, 2026 - 23:22 NVD

7.2 (HIGH) 7.3 (HIGH)

Analysis Generated

Jun 04, 2026 - 23:02 vuln.today

DescriptionCVE.org

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.

AnalysisAI

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_vpnserver function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists, and the project is end-of-life - superseded by FreshTomato - meaning no upstream patch is forthcoming. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed Tomato Web UI

Delivery

Obtain admin credentials via reuse or default

Exploit

Authenticate to Web UI

Install

Submit crafted VPN server NVRAM value

Trigger start_vpnserver in /sbin/rc

Execute

Execute injected shell commands as root

Impact

Install persistence and pivot into LAN