Home

Description

A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-08 | Assigner VulDB




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
HIGH: 7.2CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
8.3AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Problem types

OS Command Injection

Command Injection

Product status

1.28.0000
affected

Timeline

2026-06-04:Advisory disclosed
2026-06-04:VulDB entry created
2026-06-04:VulDB entry last update

Credits

WH-YHUST (VulDB User) reporter

VulDB CNA Team coordinator

References

gitee.com/...-cve-disclosure/advisories/en/01-start_dhcpc.md exploit

vuldb.com/vuln/368360 (VDB-368360 | Shibby Tomato Web UI rc start_dhcpc os command injection) vdb-entry technical-description

vuldb.com/vuln/368360/cti (VDB-368360 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10870 (CVE-2026-10870 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/831856 (Submit #831856 | Tomato Tomato Firmware Shibby-modified Tomato Firmware (MIPS32 LE). Verified on extracted image labeled d2e251333c486810d9bbce816021bcf1b93dd392 (inter OS Command Injection) third-party-advisory

gitee.com/...-cve-disclosure/advisories/en/01-start_dhcpc.md related

gitee.com/...-cve-disclosure/advisories/zh/01-start_dhcpc.md exploit

cve.org (CVE-2026-10870)

nvd.nist.gov (CVE-2026-10870)

Download JSON