How is CVE-2026-10871 exploited?

Network reachability (required): The attacker must reach the device's web UI over the network; the vulnerability is remotely exploitable without requiring local or physical access. Authentication (required): An administrative (high-privilege) account is needed to access the web UI endpoint that exposes the vulnerable function. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends the crafted request directly. Attack complexity (info): Exploit complexity is low: the injection requires no race conditions, special memory layout, or environmental preconditions, making it reliable and repeatable.

What is the impact of CVE-2026-10871?

Reads all data accessible to the firmware process, including stored credentials, Wi-Fi passphrases, and configuration secrets. Modifies device configuration, firewall rules, or routing tables, enabling persistent backdoors or traffic interception. Crashes or reboots the affected device, cutting off network connectivity for all clients depending on it. Executes arbitrary OS commands with the privilege level of the rc process, giving the attacker effective full-device control.

Back to search

HIGHCVE-2026-10871Published 2026-06-04Modified 2026-06-04CNA VulDB

CVE-2026-10871: Shibby Tomato Web UI rc start_6rd_tunnel os command injection

A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the web UI of Shibby Tomato firmware version 1.28.0000. An attacker with administrative credentials can reach the vulnerable function start_6rd_tunnel in /sbin/rc over the network and inject arbitrary shell commands through the ipv6_6rd_borderrelay argument. Successful exploitation gives the attacker full control over the device, including the ability to read, modify, or destroy data and disrupt service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including VulDB) within minutes of publication and matched against all customer images, including custom-built firmware or embedded-Linux images derived from Tomato. Any image carrying the affected Shibby Tomato 1.28.0000 components is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.6 (HIGH, v4.0) and applies each customer org's compliance policy weighting to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer environment, prioritized against their existing vulnerability queue.

Available

Patch

No fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer (or the FreshTomato successor project) ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's web UI over the network; the vulnerability is remotely exploitable without requiring local or physical access.
AuthenticationRequired
An administrative (high-privilege) account is needed to access the web UI endpoint that exposes the vulnerable function.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends the crafted request directly.
Attack complexityDetail
Exploit complexity is low: the injection requires no race conditions, special memory layout, or environmental preconditions, making it reliable and repeatable.

Blast Radius

Reads all data accessible to the firmware process, including stored credentials, Wi-Fi passphrases, and configuration secrets.
Modifies device configuration, firewall rules, or routing tables, enabling persistent backdoors or traffic interception.
Crashes or reboots the affected device, cutting off network connectivity for all clients depending on it.
Executes arbitrary OS commands with the privilege level of the rc process, giving the attacker effective full-device control.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE, HarborGuard continuously monitors the advisory across every ingest cycle and will surface a patched-image rebuild the moment a remediated version is published by the Shibby Tomato project or its FreshTomato successor. In the interim, compensating controls worth considering include network-policy isolation to restrict web UI access to trusted management subnets only, egress filtering to limit outbound connections from affected devices, and disabling the 6rd tunnel configuration feature via feature-flag or ACL if it is not operationally required. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically as soon as a fix version becomes available, with median time from CVE patch publication to merged PR for high-severity issues running around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

Shibby / Tomato
1.28.0000

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified