HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10872Published Modified CNA VulDB

CVE-2026-10872: Shibby Tomato Web UI rc start_vpnserver os command injection

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the Web UI component of Shibby Tomato firmware version 1.28.0000, specifically in the start_vpnserver function within /sbin/rc. The flaw is reachable over the network and requires a high-privilege account, but once exploited it allows an attacker to execute arbitrary operating system commands on the device. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-10872 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from Shibby Tomato 1.28.0000 base layers.

Available
Triage

HarborGuard scores this finding at CVSS 8.6 (HIGH) using the v4.0 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No fix version has been published upstream for CVE-2026-10872; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream patch or successor project release is confirmed. In the meantime, customers with compensating-control workflows can use HarborGuard's policy engine to flag and block deployment of affected image versions.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable start_vpnserver function is exposed over the network, so an attacker must be able to reach the device's Web UI interface across the network to deliver the malicious input.

  • AuthenticationRequired

    Exploitation requires a high-privilege (admin-level) account on the Tomato Web UI; a low-privilege or unauthenticated session is not sufficient.

  • Victim interactionNot required

    No action from a logged-in user or device owner is needed; the attacker can trigger the injection directly after authenticating.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access and valid admin credentials.

Blast Radius

  • Reads arbitrary files and sensitive configuration data stored on the device, including VPN credentials and network settings.
  • Writes or overwrites files on the device filesystem, enabling persistent backdoors or configuration tampering.
  • Executes arbitrary OS commands with the privilege level of the rc process, giving the attacker full control over the firmware environment.
  • Crashes or disrupts services running on the device, causing loss of network routing or VPN connectivity for dependent clients.

How HarborGuard Handles This

Available on HarborGuard: automatic advisory monitoring for CVE-2026-10872 is active across customer environments, with re-ingestion on every feed cycle to detect an upstream fix the moment one is published. Because no patched version exists, the recommended immediate action is to use HarborGuard's network-policy controls to isolate containers or workloads derived from Shibby Tomato 1.28.0000 base images, restricting Web UI exposure to trusted network segments only. Egress filtering rules can be configured through HarborGuard's policy engine to limit the blast radius if a compromised device attempts lateral movement. The note in the CVE record that this project is superseded by FreshTomato is surfaced in the advisory detail, and HarborGuard will track whether a FreshTomato release resolves the underlying flaw and flag it as a candidate replacement base image when applicable. For customers who opt into auto-remediation, a rebuilt image and regression run will be triggered automatically once an upstream fix version is confirmed.

See how HarborGuard automates this
Affected packages
  • Shibby / Tomato
    1.28.0000
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References