How is CVE-2026-10873 exploited?

Network reachability (required): The attack is launched over the network, so the device's web UI must be reachable by the attacker across a network path. Authentication (required): The attacker must hold a high-privilege (administrator) account on the Shibby Tomato web UI before the injection point can be reached. Victim interaction (not-required): No user interaction is needed; the attacker triggers the vulnerability directly through crafted requests to the web UI. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond network access and credentials.

What is the impact of CVE-2026-10873?

Reads all files and data accessible to the rstats process, including stored configuration, credentials, and any sensitive router state. Writes or overwrites arbitrary files on the device, enabling persistent backdoors or configuration tampering. Executes arbitrary OS commands, giving the attacker full control over the router's operating environment. Crashes or disrupts the affected service or the entire device, causing a denial of network routing for connected clients.

Back to search

HIGHCVE-2026-10873Published 2026-06-04Modified 2026-06-04CNA VulDB

CVE-2026-10873: Shibby Tomato Web UI rstats rstats_path os command injection

A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the rstats component of the Shibby Tomato 1.28.0000 router firmware web UI. The flaw is reachable over the network by an attacker who holds administrator credentials, and a proof-of-concept exploit has been publicly disclosed. Successful exploitation gives the attacker arbitrary OS command execution on the device, with full read, write, and availability impact on the local system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-10873 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that embed Shibby Tomato or its derived components.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.6 HIGH using the CVSS v4.0 vector and weighting that score against each customer environment's compliance policy; findings are routed to the appropriate team inbox within each customer organization based on asset classification rules.

Available

Patch

No fix version has been published for CVE-2026-10873. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attack is launched over the network, so the device's web UI must be reachable by the attacker across a network path.
AuthenticationRequired
The attacker must hold a high-privilege (administrator) account on the Shibby Tomato web UI before the injection point can be reached.
Victim interactionNot required
No user interaction is needed; the attacker triggers the vulnerability directly through crafted requests to the web UI.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond network access and credentials.

Blast Radius

Reads all files and data accessible to the rstats process, including stored configuration, credentials, and any sensitive router state.
Writes or overwrites arbitrary files on the device, enabling persistent backdoors or configuration tampering.
Executes arbitrary OS commands, giving the attacker full control over the router's operating environment.
Crashes or disrupts the affected service or the entire device, causing a denial of network routing for connected clients.

How HarborGuard Handles This

Available on HarborGuard: ingestion of CVE-2026-10873 from the VulDB advisory feed is available within minutes of publication, with matching applied against all customer images that include Shibby Tomato 1.28.0000 or derivative components. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once a fix version is published. In the interim, customers can apply compensating controls through HarborGuard's network-policy tooling: isolating the router management interface behind a dedicated management VLAN, enforcing egress filtering to block unexpected outbound connections from the device, and disabling remote web UI access where not operationally required. These policy recommendations are surfaced in the finding detail view for each affected image. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically when upstream ships a patch, with no manual steps required.

See how HarborGuard automates this

Affected packages

Shibby / Tomato
1.28.0000

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified