CVE-2026-10871
Deferred Deferred - Pending Action
Command Injection in Shibby Tomato Firmware

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulDB

Description
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10871
EUVD
EUVD-2026-34332
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shibby tomato 1.28.0000
freshtomato tomato *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Shibby Tomato version 1.28.0000, specifically in the start_6rd_tunnel function of the /sbin/rc file within the Web UI component.

The issue arises from improper handling of the argument ipv6_6rd_borderrelay, which allows an attacker to perform OS command injection.

This means that an attacker can remotely execute arbitrary operating system commands on the affected device.

Impact Analysis

Because the vulnerability allows remote OS command injection, an attacker could gain unauthorized control over the affected system.

This could lead to compromise of the device, unauthorized access to sensitive data, disruption of services, or use of the device as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by checking if the IPv6 6rd or 6rd-pd service is enabled on the Tomato router and if the NVRAM key `ipv6_6rd_borderrelay` contains suspicious or malicious shell metacharacters.

A practical detection method is to verify if a file named `/tmp/pwned_6rd` exists on the router, which indicates exploitation using the known proof of concept.

  • Check the value of the `ipv6_6rd_borderrelay` parameter in the router's NVRAM or configuration.
  • Look for unexpected files such as `/tmp/pwned_6rd` on the router filesystem.
  • Example command to check for the proof of concept file: `ls /tmp/pwned_6rd`
  • Example command to inspect the `ipv6_6rd_borderrelay` value (if accessible): `nvram get ipv6_6rd_borderrelay`
Mitigation Strategies

Immediate mitigation steps include disabling the IPv6 6rd or 6rd-pd service on the affected Tomato router to prevent triggering the vulnerable function.

Ensure that only trusted administrators have web admin access to the router, as exploitation requires admin credentials.

Avoid entering or saving any untrusted or suspicious values in the 6rd Border Relay field in the router's IPv6 settings.

Consider upgrading to a firmware version that supersedes Shibby Tomato 1.28.0000, such as FreshTomato, which is not affected by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart