Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Remote denial-of-service in Shibby Tomato 1.28 firmware allows unauthenticated network attackers to exhaust resources via the miniupnpd UPnP daemon at usr/sbin/miniupnpd. The affected project is end-of-life and superseded by FreshTomato, meaning no upstream fix will be issued. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high availability impact with no authentication or user interaction required.
Technical ContextAI
Shibby Tomato is a community-maintained fork of the Tomato router firmware for consumer SOHO routers, now discontinued in favor of FreshTomato. The vulnerable component, miniupnpd, is the MiniUPnP daemon that implements UPnP IGD and NAT-PMP services typically exposed on the LAN interface to allow LAN clients to request port mappings on the router. CWE-400 (Uncontrolled Resource Consumption) indicates the daemon fails to properly bound memory, CPU, connection, or mapping-table usage when processing crafted requests, allowing an attacker to drive the process or device into exhaustion. Because miniupnpd often runs as a privileged long-lived service on the router, its degradation directly impacts routing and NAT functionality for all clients behind the device.
RemediationAI
No vendor-released patch identified at time of analysis, and none will be issued because Shibby Tomato is end-of-life. The primary remediation is to migrate affected routers to the actively maintained FreshTomato successor firmware (https://freshtomato.org), which inherits and continues development of the Tomato codebase and should be reviewed to confirm whether its bundled miniupnpd is a newer, fixed version. As compensating controls until migration, disable the UPnP/NAT-PMP service entirely in the router's administrative interface (trade-off: LAN applications such as gaming consoles, BitTorrent, and some VoIP clients that rely on automatic port mapping will need manual port forwarding); ensure miniupnpd is not bound to the WAN interface (trade-off: none for typical deployments, as WAN-side UPnP is already considered insecure); and segment untrusted LAN devices such as IoT onto a separate VLAN that cannot reach the router's UPnP listener (trade-off: increased network configuration complexity). Track the issue via https://vuldb.com/vuln/367155 for any further disclosure details.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33347
GHSA-55h4-63gw-7vcm