PatchSiren cyber security CVE debrief
CVE-2026-10066 Shibby CVE debrief
A stack-based buffer overflow vulnerability exists in Shibby Tomato firmware up to version 1.28, specifically within the `sub_9068` function of the `tomatoups.cgi` file in the UPS Service component. The vulnerability allows remote attackers to trigger memory corruption through crafted input. This affects a deprecated firmware project that has been superseded by FreshTomato; the affected products are no longer maintained by the original vendor. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high impact to confidentiality, integrity, and availability. No known exploitation in the wild or ransomware campaign use has been documented.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Network administrators managing legacy router deployments, security teams responsible for firmware lifecycle management, and organizations with embedded Linux infrastructure using Tomato-based firmware
Technical summary
The vulnerability is a stack-based buffer overflow (CWE-121) in the `sub_9068` function of `tomatoups.cgi`, part of the UPS Service component in Shibby Tomato firmware. The flaw enables remote attackers with low privileges to achieve high impact on confidentiality, integrity, and availability through network-based attacks. The affected product is end-of-life and unmaintained; users must migrate to the community-supported FreshTomato fork.
Defensive priority
HIGH
Recommended defensive actions
- Inventory network infrastructure for devices running Shibby Tomato firmware version 1.28 or earlier
- Prioritize replacement or firmware migration to FreshTomato for affected devices
- Implement network segmentation to restrict access to router management interfaces
- Monitor for anomalous requests to tomatoups.cgi endpoints
- Consider disabling UPS service functionality if not required
- Document end-of-life status in asset management systems
Evidence notes
Vulnerability identified in deprecated Shibby Tomato router firmware. The affected code resides in UPS service CGI handler. Project maintenance transitioned to FreshTomato community fork. No active vendor support for security patches.
Official resources
2026-05-29