PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10067 Shibby CVE debrief

A stack-based buffer overflow vulnerability exists in the `sub_90F0` function within the `multimon.cgi` file of Shibby Tomato firmware version 1.28. The vulnerability can be exploited remotely to achieve code execution. Shibby Tomato is a discontinued project superseded by FreshTomato, and affected versions are no longer maintained by the original vendor.

Vendor
Shibby
Product
Tomato
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Network administrators managing Tomato-based router firmware, security teams responsible for embedded device security, and organizations with legacy router deployments should prioritize inventory and migration efforts. The remote exploitability and high impact severity warrant immediate attention despite the end-of-life status of the affected product.

Technical summary

The vulnerability resides in the `sub_90F0` function of `multimon.cgi` in Shibby Tomato firmware 1.28. Insufficient bounds checking allows an attacker to overflow a stack-based buffer through crafted input, potentially leading to arbitrary code execution. The attack surface is exposed remotely through the CGI endpoint. As Shibby Tomato is discontinued and superseded by FreshTomato, no security patches are expected from the original maintainer.

Defensive priority

HIGH

Recommended defensive actions

  • Identify and inventory all devices running Shibby Tomato firmware version 1.28 or earlier
  • Migrate affected devices to FreshTomato or other actively maintained firmware alternatives
  • Implement network segmentation to restrict access to router management interfaces
  • Disable remote administration features where not strictly required
  • Monitor for unauthorized access attempts targeting multimon.cgi endpoints
  • Consider replacing end-of-life hardware that cannot support maintained firmware alternatives

Evidence notes

The vulnerability is documented through VulDB submission 818146 and assigned VulDB entry 367153. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates network attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact to confidentiality, integrity, and availability. CWE-119 and CWE-121 are identified as the underlying weakness categories. The source references include a Gitee issue tracker entry and multiple VulDB resources. Vendor identification is marked as low confidence with 'Unknown Vendor' and requires review; the reference domain candidate is Gitee.

Official resources

This CVE was published on 2026-05-29 and last modified on 2026-05-29. The vulnerability disclosure indicates the affected product is end-of-life with no planned patches from the original maintainer.