Skip to main content

Shibby Tomato EUVD-2026-34340

| CVE-2026-10873 HIGH
OS Command Injection (CWE-78)
2026-06-04 VulDB GHSA-87h4-4j7r-7jc2
Command Injection Tomato
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 04, 2026 - 23:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 23:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 23:22 NVD
7.2 (HIGH) 7.3 (HIGH)
Analysis Generated
Jun 04, 2026 - 23:01 vuln.today

DescriptionCVE.org

A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

AnalysisAI

OS command injection in Shibby Tomato 1.28.0000 firmware allows authenticated remote attackers to execute arbitrary operating system commands by manipulating input to the rstats_path function within the /bin/rstats binary exposed via the Web UI. Publicly available exploit code exists per the Gitee advisory disclosed through VulDB, and the affected project is end-of-life - superseded by FreshTomato - meaning no upstream vendor patch is forthcoming. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed Tomato Web UI
Delivery
Obtain admin credentials
Exploit
Submit malicious rstats_path value
Install
Trigger /bin/rstats shell invocation
C2
Execute injected commands as root
Execute
Persist on router firmware
Impact
Pivot to LAN or intercept traffic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires high-privilege authenticated access to the Shibby Tomato Web UI (CVSS PR:H) - specifically administrative credentials sufficient to reach the rstats configuration interface that writes the rstats_path NVRAM value consumed by /bin/rstats. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-elevated but bounded by the PR:H requirement in the CVSS 4.0 vector: an attacker must already have high-privilege (administrative) access to the router Web UI to invoke the vulnerable path, which significantly limits opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained admin credentials to the router Web UI - for example through default-password scanning, credential stuffing against the LAN interface, or a chained authentication bypass - submits a manipulated value to the rstats_path parameter that contains shell metacharacters (e.g., `;`, backticks, or `$()`). When /bin/rstats consumes this NVRAM-backed value and passes it to a shell, the injected commands execute as root on the embedded Linux device, granting full router takeover suitable for traffic interception, DNS hijacking, or pivoting into the LAN; a public proof-of-concept on Gitee removes the need for any custom exploit development.
Remediation No vendor-released patch identified at time of analysis - the Shibby Tomato project is no longer maintained and has been superseded by FreshTomato, so the primary recommended remediation is to migrate affected devices to a currently maintained successor firmware such as FreshTomato (https://www.freshtomato.org/) after verifying the rstats handling has been fixed there, or to OpenWrt as an alternative. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all deployments of Shibby Tomato 1.28.0000 and restrict Web UI access to trusted administrative networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34340 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy