CVE-2026-10068 Shibby CVE debrief

Who should care

Organizations operating legacy router or network equipment running Shibby Tomato 1.28 firmware, particularly those with exposed UPnP services. Security teams responsible for firmware lifecycle management and network segmentation. Home users and small businesses utilizing aftermarket router firmware who may be unaware of the project's end-of-life status.

Technical summary

The vulnerability resides in the send function within usr/sbin/miniupnpd, which handles SUBSCRIBE requests in the UPnP implementation of Shibby Tomato 1.28. An attacker can remotely manipulate this function to cause the server to make unauthorized requests to arbitrary destinations, constituting server-side request forgery. The attack vector is network-based with low attack complexity and no required privileges or user interaction. The vulnerability affects confidentiality, integrity, and availability at a low impact level. The product is explicitly noted as superseded by FreshTomato and no longer supported by its maintainer.

Defensive priority

medium

Recommended defensive actions

• Identify and inventory any remaining deployments of Shibby Tomato 1.28 firmware, as this version is end-of-life and no longer receives security updates
• Migrate affected devices to FreshTomato or another actively maintained alternative firmware
• If migration is not immediately feasible, restrict network access to the UPnP service (typically TCP port 5000) to trusted administrative hosts only
• Monitor for anomalous outbound network connections from affected devices that may indicate SSRF exploitation
• Review firewall rules to prevent affected devices from initiating connections to sensitive internal services or external untrusted destinations

Evidence notes

Vulnerability disclosed via VulDB and Gitee issue tracker. The affected product is explicitly noted as end-of-life and superseded. No known exploitation in the wild or ransomware campaign use has been documented.

Official resources