Description
A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
Published: 2026-06-04
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw was discovered in the start_vpnserver function of the /sbin/rc script within the Shibby Tomato Web UI. By manipulating the input to this function, an attacker can execute arbitrary shell commands on the device. This leads to a full compromise of confidentiality, integrity, and availability, as the attacker can gain privileged access to the underlying operating system. The vulnerability is associated with CWE-77 and CWE-78.

Affected Systems

The vulnerability specifically affects Shibby Tomato version 1.28.0000. The affected component is the Web UI interface that communicates with the start_vpnserver command. No other versions or products are listed as impacted in the current advisory.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity level. No EPSS score is available, but the exploit is publicly documented and can be triggered remotely via the Web UI, making the risk significant. The vulnerability is not listed in the CISA KEV catalog and no official workaround is provided. The likely attack vector is remote input through the Web UI’s start_vpnserver endpoint. An attacker who can reach the device’s web interface can exploit this flaw to execute arbitrary commands on the device, effectively taking control.

Generated by OpenCVE AI on June 4, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a version that includes the fixed start_vpnserver implementation or switch to the official FreshTomato build.
  • Restrict network access to the device’s Web UI to trusted internal hosts or apply firewall rules that block external traffic to the affected port.
  • If an upgrade is not immediately possible, disable or remove the remote start_vpnserver capability from the configuration or patch the web UI handler to validate and sanitize its input against command injection before executing shell commands.

Generated by OpenCVE AI on June 4, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
Title Shibby Tomato Web UI rc start_vpnserver os command injection
First Time appeared Shibby
Shibby tomato
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
Vendors & Products Shibby
Shibby tomato
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shibby Tomato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T22:15:15.209Z

Reserved: 2026-06-04T15:32:03.191Z

Link: CVE-2026-10872

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:48.620

Modified: 2026-06-04T23:16:48.620

Link: CVE-2026-10872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:00:06Z

Weaknesses