CVE-2026-10873
Deferred Deferred - Pending Action
Command Injection in Shibby Tomato Web UI

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: VulDB

Description
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10873
EUVD
EUVD-2026-34340
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shibby_tomato tomato 1.28.0000
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Shibby Tomato version 1.28.0000, specifically in the rstats_path function of the /bin/rstats file within the Web UI component.

An attacker can remotely manipulate this function to perform OS command injection, which means they can execute arbitrary operating system commands on the affected device.

The vulnerability has been publicly disclosed and may be actively exploited.

Impact Analysis

This vulnerability can have severe impacts because it allows a remote attacker to execute arbitrary OS commands on the affected system.

  • Compromise of system confidentiality, integrity, and availability.
  • Potential full control over the affected device by the attacker.
  • Disruption of services or unauthorized access to sensitive data.
Compliance Impact

The vulnerability allows OS command injection through the Web UI of Shibby Tomato firmware, potentially leading to full system compromise if exploited by an attacker with administrative credentials.

Such a compromise could result in unauthorized access to sensitive data or disruption of system integrity, which may negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these regulations.

Detection Guidance

This vulnerability can be detected by checking if the Shibby Tomato firmware version 1.28.0000 is in use and if the Web UI's Bandwidth Monitoring feature is enabled with a custom save path set in the rstats_path NVRAM variable.

Since the vulnerability involves OS command injection via the rstats_path variable, one way to detect exploitation attempts is to look for unusual commands or files created on the system, such as the presence of files like /tmp/pwned which may be created by injected payloads.

  • Check the firmware version: verify if it is Shibby Tomato 1.28.0000.
  • Inspect the rstats_path NVRAM variable for suspicious values or shell metacharacters.
  • Look for unexpected files created by command injection, e.g., run: ls /tmp/pwned
  • Monitor web server logs for requests to the Bandwidth Monitoring feature (admin-bwm.asp) with suspicious parameters.
Mitigation Strategies

Immediate mitigation steps include disabling the Bandwidth Monitoring feature in the Web UI to prevent triggering the vulnerable code path.

Avoid setting or using custom save paths in the rstats_path NVRAM variable, as this is the vector for command injection.

Restrict administrative access to the Web UI to trusted users only, since the attack requires web admin credentials.

Consider upgrading to a newer firmware version such as FreshTomato, which has addressed similar issues by hardening the rstats component.

If possible, apply patches that replace unsafe system() calls with safer alternatives and implement proper input validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart