EUVD-2026-34332
GHSA-c765-prxh-h25f
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
AnalysisAI
OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary shell commands by manipulating the ipv6_6rd_borderrelay argument processed by the start_6rd_tunnel function in /sbin/rc via the Web UI. Publicly available exploit code exists per VulDB disclosure, and the project is end-of-life - superseded by FreshTomato - meaning no upstream fix is expected.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) administrative credentials to the Tomato Web UI (CVSS PR:H), (2) network reachability to the Web UI - typically LAN by default, or WAN if remote administration has been enabled, and (3) the ability to set the ipv6_6rd_borderrelay NVRAM parameter through the IPv6 6rd configuration page, which then triggers start_6rd_tunnel in /sbin/rc. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 7.3 reflects network-reachable exploitation (AV:N) with low complexity (AC:L) but requires high privileges (PR:H), meaning an attacker must already hold administrative Web UI credentials - substantially limiting blast radius. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Web UI administrator credentials - through phishing, password reuse, default credentials, or a separate auth bypass - logs into the Tomato router and submits an IPv6 6rd configuration setting the ipv6_6rd_borderrelay field to a value containing shell metacharacters (e.g. a backtick- or semicolon-delimited command). … |
| Remediation | No vendor-released patch identified at time of analysis - Shibby Tomato is discontinued and superseded by FreshTomato, so the primary remediation is to migrate affected routers to FreshTomato (or another maintained firmware such as OpenWrt) which should be reviewed for the same code path before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Shibby Tomato firmware instances and disable remote Web UI access via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today