How is CVE-2026-10870 exploited?

Network reachability (required): The attacker must reach the device's Web UI over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed. Authentication (required): A high-privilege (admin-level) account is required to reach the vulnerable start_dhcpc function; low-privilege credentials are not sufficient (PR:H). Victim interaction (not-required): No victim interaction is needed; the attacker can trigger the injection directly without any user clicking a link or taking an action (UI:N). Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or specific environmental configuration to succeed.

What is the impact of CVE-2026-10870?

A successful attacker can execute arbitrary OS commands on the device, reading sensitive configuration data including credentials and network settings (VC:H). The attacker can modify system configuration, persistent settings, or running processes on the device (VI:H). The attacker can crash or otherwise disable the device's services, causing a loss of network availability for hosts dependent on it (VA:H). Because this project is superseded by FreshTomato and no upstream fix exists, devices running 1.28.0000 have no vendor-supplied remediation path at this time.

Back to search

HIGHCVE-2026-10870Published 2026-06-04Modified 2026-06-04CNA VulDB

CVE-2026-10870: Shibby Tomato Web UI rc start_dhcpc os command injection

A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the Shibby Tomato 1.28.0000 firmware Web UI, specifically in the start_dhcpc function of /sbin/rc. The flaw is reachable over the network and requires a high-privilege (admin) account to exploit. Successful exploitation gives an attacker full control over command execution on the device, enabling data disclosure, modification of system state, and denial of service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including VulDB) within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built images that include Shibby Tomato 1.28.0000 components.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.6 (High) with CVSS v4.0 vector weighting applied, and per-environment compliance policy rules can further prioritize or suppress the alert; routing to the appropriate team inbox within each customer org is available based on configured policy.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, a regression test run and a PR against affected workloads will follow immediately.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's Web UI over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.
AuthenticationRequired
A high-privilege (admin-level) account is required to reach the vulnerable start_dhcpc function; low-privilege credentials are not sufficient (PR:H).
Victim interactionNot required
No victim interaction is needed; the attacker can trigger the injection directly without any user clicking a link or taking an action (UI:N).
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or specific environmental configuration to succeed.

Blast Radius

A successful attacker can execute arbitrary OS commands on the device, reading sensitive configuration data including credentials and network settings (VC:H).
The attacker can modify system configuration, persistent settings, or running processes on the device (VI:H).
The attacker can crash or otherwise disable the device's services, causing a loss of network availability for hosts dependent on it (VA:H).
Because this project is superseded by FreshTomato and no upstream fix exists, devices running 1.28.0000 have no vendor-supplied remediation path at this time.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published for CVE-2026-10870, the platform monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically when upstream ships a fix. For customers with auto-remediation enabled, a rebuilt image, regression test run, and PR against affected workloads will be triggered without manual intervention at that point. In the interim, compensating controls are recommended: apply network-policy rules to restrict access to the Web UI to trusted management subnets only, consider disabling the Web UI on internet-facing interfaces if operationally feasible, and use egress filtering to limit lateral movement in the event of compromise. Teams running containers that bundle Shibby Tomato 1.28.0000 should evaluate migrating to FreshTomato, which supersedes this project, as the upstream CVE description notes no further patches are expected for Shibby Tomato.

See how HarborGuard automates this

Affected packages

Shibby / Tomato
1.28.0000

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified