PatchSiren cyber security CVE debrief
CVE-2026-10069 Shibby CVE debrief
A resource consumption vulnerability in Shibby Tomato 1.28's miniupnpd component allows remote attackers to exhaust system resources. The affected firmware is end-of-life and superseded by FreshTomato.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Network administrators running Shibby Tomato 1.28 on routers or gateways; security teams managing legacy embedded Linux firmware; organizations with remote-accessible UPnP services.
Technical summary
The vulnerability exists in an unknown function within /usr/sbin/miniupnpd in Shibby Tomato firmware version 1.28. Remote attackers can trigger resource consumption without authentication. The CVSS 4.0 score of 8.7 reflects high availability impact with low attack complexity. The product is explicitly noted as superseded by FreshTomato and no longer supported by its maintainer.
Defensive priority
HIGH
Recommended defensive actions
- Migrate from Shibby Tomato 1.28 to FreshTomato or alternative actively maintained firmware
- If migration is not immediately possible, restrict network access to miniupnpd service to trusted administrative hosts only
- Monitor for anomalous resource consumption on affected devices
- Plan replacement of end-of-life routing infrastructure
Evidence notes
CVSS 4.0 vector indicates network attack vector with no privileges required and high availability impact. CWE-400 (Uncontrolled Resource Consumption) and CWE-404 (Improper Resource Shutdown or Release) assigned. VulnStatus is 'Deferred' in NVD.
Official resources
Published 2026-05-29 by NVD with VulDB as CNA. No KEV listing.