CVE-2026-10872
Deferred Deferred - Pending Action
Command Injection in Shibby Tomato Router Firmware

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulDB

Description
A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10872
EUVD
EUVD-2026-34339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shibby_tomato 1.28.0000 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Shibby Tomato version 1.28.0000, specifically in the start_vpnserver function within the /sbin/rc file of the Web UI component.

An attacker can remotely perform a manipulation that leads to operating system command injection, allowing them to execute arbitrary commands on the affected system.

The exploit for this vulnerability has been made public, increasing the risk of it being used maliciously.

Impact Analysis

This vulnerability allows remote attackers to inject and execute arbitrary operating system commands on the affected device.

Successful exploitation can lead to full compromise of the device, including unauthorized access, data theft, disruption of services, or further attacks within the network.

Because the exploit is publicly available, the risk of attack is higher.

Compliance Impact

The vulnerability allows authenticated administrators to execute arbitrary commands as root on the affected device, leading to a potential full system compromise.

Such unauthorized root access and remote code execution can lead to unauthorized access, modification, or disclosure of sensitive data, which may violate data protection regulations like GDPR and HIPAA.

Because the exploit requires administrative credentials, the vulnerability highlights risks related to insufficient access controls and input validation, which are critical for compliance with security standards.

Organizations using the affected firmware could face compliance issues if this vulnerability is exploited, as it undermines the confidentiality, integrity, and availability of protected data.

Detection Guidance

Detection of this vulnerability involves checking for unauthorized or suspicious modifications in the VPN server configuration parameters and related scripts on the affected Tomato firmware device.

  • Inspect the NVRAM keys vpn_server%d_proto and vpn_server%d_custom for injected newline characters or malicious OpenVPN directives.
  • Check for the presence of unexpected or suspicious shell scripts such as /etc/openvpn/fw/server%d-fw.sh that may have been created or modified.
  • Look for files created by exploits, for example, /tmp/pwned_vpnserver or /tmp/evil.sh, which indicate successful exploitation.
  • Commands to help detect the vulnerability might include:
  • 1. nvram get vpn_server1_proto # Check for newline or suspicious characters
  • 2. nvram get vpn_server1_custom # Check for injected OpenVPN directives
  • 3. ls -l /etc/openvpn/fw/ # Look for unexpected firewall scripts
  • 4. ls -l /tmp/ # Check for exploit-created files like pwned_vpnserver or evil.sh
Mitigation Strategies

Immediate mitigation steps include restricting access to the Tomato Web management interface to trusted administrators only, as exploitation requires authenticated admin credentials.

Avoid using the vulnerable Tomato firmware version 1.28.0000 and upgrade to a maintained and patched firmware such as FreshTomato, which supersedes the affected project.

Review and sanitize VPN server configuration parameters, especially vpn_server%d_proto and vpn_server%d_custom, to ensure no malicious input or injected commands exist.

Restarting or starting the VPN server without cleaning these parameters may trigger the vulnerability, so ensure configurations are clean before doing so.

If possible, apply patches or updates provided by the vendor or community addressing this specific vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart