CVE-2026-10873 in Tomato
Summary
by MITRE • 06/05/2026
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability exists within the Shibby Tomato 1.28.0000 firmware version where the rstats_path function in the /bin/rstats binary component of the Web UI presents a critical security flaw. The vulnerability stems from insufficient input validation and sanitization within the rstats_path function, which allows malicious actors to inject operating system commands through crafted input parameters. The flaw specifically manifests when user-supplied data is directly incorporated into system command execution without proper sanitization or escaping mechanisms, creating a pathway for arbitrary command injection attacks.
The technical implementation of this vulnerability enables remote exploitation through the web interface, making it particularly dangerous as it does not require physical access or local privileges to compromise the system. Attackers can manipulate the rstats_path function by submitting malicious input that gets processed and executed as shell commands, potentially allowing full system compromise. This type of vulnerability maps directly to CWE-77 which defines improper neutralization of special elements used in OS commands, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The remote attack vector significantly amplifies the threat surface, as any authenticated or unauthenticated user with access to the web interface can potentially exploit this weakness.
The operational impact of this vulnerability extends beyond simple command execution, as successful exploitation could lead to complete system takeover, data exfiltration, or persistent backdoor installation. The rstats component typically handles system statistics and monitoring functions, making it a prime target for attackers seeking to maintain long-term access to the device. Given that this firmware version has been superseded by FreshTomato, users running affected versions face an elevated risk profile. The public disclosure of exploitation techniques further compounds the danger, as attackers can leverage readily available methods to compromise vulnerable systems. Organizations and individuals using Shibby Tomato 1.28.0000 should immediately implement mitigations including firmware updates to FreshTomato or other supported versions, network segmentation to limit access to the affected web interface, and implementation of intrusion detection systems to monitor for exploitation attempts. The vulnerability represents a critical security gap that requires immediate attention to prevent unauthorized access to network devices and potential lateral movement within compromised networks.