CVE-2026-15546
Received Received - Intake

Command Injection in Shibby Tomato Firmware

Vulnerability report for CVE-2026-15546, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security flaw has been discovered in Shibby Tomato up to 1.28.0000. Affected by this issue is the function sub_2D568 of the component start_jffs2. Performing a manipulation of the argument jffs2_exec results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This project is superseded by FreshTomato.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shibby tomato to 1.28.0000 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with authenticated access to inject arbitrary shell commands that execute as root, potentially leading to unauthorized access, data manipulation, or persistent backdoors. Such unauthorized access and control over the device could result in the compromise of sensitive data or system integrity.

Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems. The presence of a persistent backdoor and potential data breaches due to this vulnerability may lead to violations of these regulations.

Executive Summary

CVE-2026-15546 is an OS command injection vulnerability found in the Tomato by Shibby firmware, specifically in the start_jffs2 function within the sbin/rc binary.

The vulnerability occurs because the function retrieves the NVRAM key jffs2_exec and passes its value directly to the system() function without any sanitization or validation.

An attacker with authenticated access (via the Web UI or SSH) who has admin-level NVRAM write permissions can inject arbitrary shell commands that execute as root during the JFFS2 startup sequence.

The attack is triggered when the jffs2_on key is set to "1", the JFFS2 partition mounts successfully, and the jffs2_exec key contains a malicious payload.

Injected commands persist across reboots due to NVRAM storage, potentially creating a persistent backdoor.

Impact Analysis

This vulnerability allows an attacker with authenticated admin-level access to execute arbitrary commands as root on the affected device.

Because the injected commands persist across reboots, the attacker can maintain persistent control or backdoor access to the system.

Such control can lead to unauthorized system modifications, data compromise, disruption of services, or further attacks within the network.

Detection Guidance

This vulnerability can be detected by checking the NVRAM keys related to JFFS2 on the affected device. Specifically, you should verify if the key `jffs2_on` is set to "1" and inspect the value of the `jffs2_exec` key for any suspicious or malicious command injections.

Since the vulnerability involves command injection via the `jffs2_exec` NVRAM key, you can use commands to read these keys and look for unexpected or unauthorized commands.

  • nvram get jffs2_on
  • nvram get jffs2_exec

If `jffs2_on` is "1" and `jffs2_exec` contains suspicious shell commands, this indicates the vulnerability may be exploited or present.

Mitigation Strategies

To mitigate this vulnerability immediately, you should remove or sanitize the `jffs2_exec` NVRAM key to prevent execution of arbitrary commands during the JFFS2 startup.

Additionally, ensure that only trusted administrators have access to the device's Web UI or SSH, as exploitation requires authenticated admin-level NVRAM write access.

Consider disabling JFFS2 by setting the `jffs2_on` key to "0" if JFFS2 functionality is not required.

Since the vulnerability persists across reboots due to NVRAM storage, clearing or resetting the NVRAM keys related to JFFS2 can help remove any malicious payloads.

Finally, upgrade to a firmware version that supersedes Shibby Tomato, such as FreshTomato, which is not affected by this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart