Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Stack-based buffer overflow in Shibby Tomato 1.28 router firmware allows authenticated remote attackers to corrupt memory in the multimon.cgi handler (function sub_90F0), with high impact to confidentiality, integrity, and availability per CVSS 4.0 (8.7). The affected project is end-of-life and superseded by FreshTomato, meaning no vendor patch will be issued. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and network reachability make this a meaningful risk for any still-deployed devices.
Technical ContextAI
Tomato is a Linux-based open-source firmware historically used on consumer Broadcom-based routers (Asus, Linksys, Netgear), with the Shibby fork being one of several community branches now succeeded by FreshTomato. The vulnerable component multimon.cgi is part of the web administration interface, typically served by the embedded httpd daemon on the LAN side (and sometimes WAN if remote admin is enabled). CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) here manifests as a classic stack-based overflow inside sub_90F0, indicating that input passed to that CGI handler is copied into a fixed-size stack buffer without adequate bounds checking, opening the door to stack smashing, return address overwrite, and potential code execution on the MIPS/ARM SoC running the firmware.
RemediationAI
No vendor-released patch identified at time of analysis because Shibby Tomato is no longer maintained; the recommended path is migration to the actively maintained FreshTomato fork (https://freshtomato.org/) on compatible hardware, or replacement of the device with one running a supported firmware such as OpenWrt or stock vendor firmware. As compensating controls until migration, restrict the router web administration interface to trusted LAN management hosts only via firewall rules and disable any 'Remote Access' or WAN-side admin feature so multimon.cgi is unreachable from the internet - the trade-off is loss of remote management convenience. Enforce strong, unique admin credentials to defeat the PR:L precondition and segment the router management VLAN from untrusted user/guest networks; the trade-off is added configuration complexity. Cross-reference the VulDB advisory at https://vuldb.com/vuln/367153 for any updates.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33343
GHSA-7mrh-whj9-f675