CVE-2026-10066

Vulnerability

The UPS Service component in Shibby Tomato firmware up to version 1.28 contains a stack-based buffer overflow vulnerability in the sub_9068 function of the tomatoups.cgi file [1]. The vulnerability is reached via the web interface without requiring authentication, making it remotely exploitable. The product is end-of-life and superseded by FreshTomato; no fixed version is available from the original maintainer [1].

Exploitation

An attacker can send a crafted HTTP request to the vulnerable CGI endpoint, triggering a stack buffer overflow in the sub_9068 function. No authentication is required; the attack vector is network-based [1]. The exploit does not require user interaction and can be executed remotely over the network.

Impact

Successful exploitation leads to arbitrary code execution with the privileges of the web server (typically root on embedded devices). This allows the attacker to gain full control of the affected device, enabling information disclosure, installation of persistent backdoors, or further network compromise [1].

Mitigation

No official fix exists as Shibby Tomato 1.28 is end-of-life and no longer supported by the maintainer [1]. Users are strongly advised to upgrade to FreshTomato, the actively maintained fork, to mitigate this vulnerability. There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.