CVE-2026-15547
Received Received - Intake

Command Injection in Shibby Tomato Firmware

Vulnerability report for CVE-2026-15547, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This project is superseded by FreshTomato.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shibby tomato to 1.28.0000 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15547 is an OS command injection vulnerability in the Tomato by Shibby firmware, specifically in the CIFS mount handler component. The vulnerability arises when an attacker with authenticated admin access modifies the NVRAM keys 'cifs1' or 'cifs2' to include malicious commands. The firmware parses these keys using the '<' delimiter and passes the extracted command directly to the system() function without sanitization, allowing arbitrary shell commands to be executed with root privileges during the CIFS share mount operation.

This vulnerability affects Tomato firmware version 1.28.0000-120 K26ARM USB AIO-64K on ARM architecture and can be exploited remotely via the Web UI or SSH by an authenticated admin. The injected commands persist across reboots because NVRAM values are retained.

Impact Analysis

Exploitation of this vulnerability can lead to persistent root-level code execution on the affected device. An attacker who gains authenticated admin access can execute arbitrary commands with root privileges, potentially compromising the entire system.

  • Complete control over the device firmware and operating system.
  • Ability to install malware or backdoors that survive reboots.
  • Potential disruption of network services or interception of network traffic.
  • Compromise of sensitive data or credentials stored or passing through the device.
Detection Guidance

This vulnerability can be detected by checking if the NVRAM keys `cifs1` or `cifs2` contain malicious commands injected in their values, specifically in the 6th field separated by the '<' delimiter. Since exploitation requires authenticated admin access to modify these keys, detection involves inspecting these NVRAM values for suspicious content.

Commands to detect potential exploitation include querying the NVRAM values for `cifs1` and `cifs2` and examining them for unusual or unexpected shell commands.

  • Use SSH to access the device and run: `nvram get cifs1` and `nvram get cifs2`
  • Look for suspicious command injection patterns in the output, especially in the 6th field separated by '<'.
  • Check the CIFS mount operations and logs for unexpected behavior or errors that might indicate command execution.
Mitigation Strategies

Immediate mitigation steps include restricting access to the administrative interface to prevent unauthorized modification of NVRAM keys `cifs1` and `cifs2`.

Ensure that only trusted administrators have authenticated access via Web UI or SSH, as exploitation requires authenticated admin privileges.

Avoid mounting CIFS shares with untrusted or unknown UNC paths that could be used to inject malicious commands.

Consider upgrading to a firmware version that supersedes Shibby Tomato, such as FreshTomato, which is not affected by this vulnerability.

Regularly audit and sanitize NVRAM keys related to CIFS mounts to remove any injected commands.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart