OS Command Injection Vulnerability in Shibby Tomato Router Firmware
CVE-2026-10872
Key Information:
Badges
What is CVE-2026-10872?
A security flaw has been identified in Shibby Tomato 1.28.0000 firmware, specifically affecting the 'start_vpnserver' function within the Web UI component located in /sbin/rc. This vulnerability permits remote attackers to execute arbitrary OS commands on the affected devices, potentially leading to unauthorized access and control. The issue has been publicly disclosed, emphasizing the urgency for users to assess their systems and apply necessary mitigations or upgrades. It's important to note that this firmware version is no longer maintained, with FreshTomato being the recommended successor.
Affected Version(s)
Tomato 1.28.0000
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
