CVE-2026-10067

Vulnerability

A stack-based buffer overflow vulnerability exists in the sub_90F0 function of the multimon.cgi CGI script in Shibby Tomato firmware version 1.28. The flaw is triggered by manipulating input data, leading to memory corruption. This version is no longer supported, and the project has been superseded by FreshTomato [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. By sending a specially crafted HTTP request to the multimon.cgi endpoint, the attacker can overflow a stack buffer, potentially overwriting critical data or control flow structures. No user interaction is needed beyond the target device being reachable over the network [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution on the affected device. Given that Shibby Tomato is a router firmware, this could lead to full compromise of the device, including network traffic interception, configuration changes, and further lateral movement within the network [1].

Mitigation

No official patch is available from Shibby as the project is end-of-life. The only recommended mitigation is to upgrade to FreshTomato, the actively maintained successor. Users should also consider replacing unsupported hardware. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].