CVE-2026-10870 in Tomato
Summary
by MITRE • 06/05/2026
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability identified in Shibby Tomato version 1.28.0000 represents a critical command injection flaw within the web user interface component that affects the start_dhcpc function in the /sbin/rc file. This issue stems from inadequate input validation and sanitization mechanisms that allow malicious actors to inject arbitrary operating system commands through the web interface. The vulnerability exists specifically within the DHCP client startup functionality, making it particularly dangerous as it can be exploited to execute arbitrary code on the affected device with the privileges of the web server process.
The technical nature of this flaw aligns with CWE-77 and CWE-94 categories, representing command injection vulnerabilities that enable attackers to execute arbitrary commands on the target system. The attack vector is remote and authenticated, meaning that an attacker who can access the web UI can manipulate input parameters to inject malicious commands that will be executed by the underlying operating system. This vulnerability is particularly concerning because it allows for complete system compromise, potentially enabling attackers to gain persistent access, install backdoors, or exfiltrate sensitive data from the device. The fact that an exploit has been published and is actively available in the wild significantly increases the risk to affected systems.
The operational impact of this vulnerability extends beyond simple command execution, as it can be leveraged to create persistent access points within networks. Attackers can use this vulnerability to establish reverse shells, modify system configurations, disable security features, or even upgrade the firmware to malicious versions. The vulnerability affects not just individual devices but can serve as a foothold for broader network infiltration, particularly in environments where these routers serve as gateways or network infrastructure devices. The fact that Shibby Tomato has been superseded by FreshTomato indicates that the maintainers recognized the severity of this class of vulnerability and have moved to address such issues in newer releases.
Organizations and individuals using Shibby Tomato 1.28.0000 should immediately implement mitigations including network segmentation, disabling unnecessary web interface access, and applying the latest firmware updates from FreshTomato or other secure alternatives. The ATT&CK framework categorizes this vulnerability under T1059.001 for command and scripting interpreter and T1078.004 for valid accounts, as exploitation typically requires valid authentication followed by command execution. Additionally, implementing proper input validation, using parameterized commands, and employing principle of least privilege for web interface processes would significantly reduce the attack surface and potential impact of such vulnerabilities.