HarborGuard / CVE
Back to search
HIGHCVE-2026-10069Published Modified CNA VulDB

CVE-2026-10069: Shibby Tomato miniupnpd resource consumption

A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A remote resource-consumption flaw in the miniupnpd binary shipped with Shibby Tomato 1.28 routers. The bug is reachable over the network with no authentication and no user interaction, and successful exploitation exhausts service resources and disrupts availability of the affected device. The project is end-of-life (superseded by FreshTomato) and no fix is available; HarborGuard tracks the advisory for any future patch publication.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle the Tomato miniupnpd binary, not just vendor base images.

Available
Triage

Triage is available with the CVSS v4 score of 8.7 (High) carried into the workflow and weighted against each customer's compliance policy. Findings route to the appropriate inbox inside each customer org so that internet-exposed router or gateway images are prioritized over isolated build artifacts.

Available
Patch

Because Shibby Tomato is unsupported and no fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. In the meantime, the affected component is flagged in the inventory so customers can plan migration to FreshTomato or another maintained alternative.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the miniupnpd service over the network, typically on a LAN-facing or WAN-facing UPnP port.

  • AuthenticationNot required

    No credentials are needed; any host that can send packets to the service can trigger the condition.

  • Victim interactionNot required

    No user action on the device is needed for the attack to succeed.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and does not depend on race conditions or environmental tuning.

Blast Radius

  • Exhausts CPU, memory, or connection resources inside miniupnpd, making the UPnP service unresponsive.
  • Disrupts availability of port-mapping functions that downstream applications and devices rely on.
  • Leaves confidentiality and integrity of stored data untouched; the impact is purely on service availability.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the advisory with automatic rebuild availability if and when an upstream fix lands. Because Shibby Tomato is no longer maintained and superseded by FreshTomato, the practical path forward is migration, and HarborGuard surfaces every image carrying the affected miniupnpd binary so that migration planning can be scoped. Compensating controls worth applying in the interim include restricting miniupnpd exposure to trusted network segments, disabling UPnP where it is not strictly required, and adding egress and ingress filtering on the affected router images; for customers with auto-remediation enabled, a rebuilt image and regression run will be staged the moment a patched upstream (or FreshTomato equivalent) becomes available.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Shibby / Tomato
    1.28
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X
References