Description
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
Published: 2026-06-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to inject arbitrary operating‑system commands via the start_dhcpc function in the Shibby Tomato web interface. This is an instance of CWE‑77 (OS Command Injection) and CWE‑78 (OS Command Injection). Successful exploitation grants the attacker the ability to run arbitrary commands with the privileges of the web UI process, effectively creating a remote code execution vector.

Affected Systems

Shibby Tomato version 1.28.0000, specifically the /sbin/rc script that implements the start_dhcpc function. The vulnerability is present in the Web UI component of the Tomato firmware distributed by Shibby.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit is remote, requiring only web UI access, and published exploits exist, indicating a realistic risk of exploitation. The absence of an official fix implies attackers could perform the injection under any circumstances where the web interface is reachable.

Generated by OpenCVE AI on June 4, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a current Tomato or FreshTomato release that addresses the command‑injection flaw.
  • If an upgrade is not immediately possible, block web‑UI access to only trusted IP ranges and enforce strong authentication before allowing access.
  • Modify the /sbin/rc script to sanitize the parameters used by start_dhcpc, removing or escaping any user‑supplied input before concatenating it into an OS command.

Generated by OpenCVE AI on June 4, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
Title Shibby Tomato Web UI rc start_dhcpc os command injection
First Time appeared Shibby
Shibby tomato
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
Vendors & Products Shibby
Shibby tomato
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shibby Tomato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T20:30:16.172Z

Reserved: 2026-06-04T15:31:57.117Z

Link: CVE-2026-10870

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-04T21:16:30.220

Modified: 2026-06-05T13:26:15.113

Link: CVE-2026-10870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T22:30:25Z

Weaknesses