CVE-2026-10068

Vulnerability

A server-side request forgery (SSRF) vulnerability exists in Shibby Tomato firmware version 1.28. The flaw resides in the send function within the file usr/sbin/miniupnpd, specifically in the SUBSCRIBE Call Handler component [1]. This manipulation allows an attacker to cause the server to make requests to arbitrary internal or external hosts. No special configuration is required beyond having the affected service exposed to the network. The project is superseded by FreshTomato and is no longer supported by the maintainer.

Exploitation

An attacker can exploit this vulnerability by sending a crafted SUBSCRIBE request to the UPnP daemon (miniupnpd) on a device running Shibby Tomato 1.28. The attack is remotely initiated and does not require authentication [1]. The attacker controls the callback URL in the SUBSCRIBE request, which the server then fetches, performing requests to any target determined by the attacker.

Impact

Successful exploitation enables server-side request forgery, potentially allowing the attacker to scan internal networks, access internal services, or perform port scans from the affected device. The attacker does not gain direct code execution but can leverage the device's network position to probe or interact with otherwise inaccessible systems. Since the product is end-of-life, there is no official fix available [1].

Mitigation

No official patch exists for Shibby Tomato 1.28 as it is a discontinued product. Users are strongly advised to upgrade to FreshTomato, which is the actively maintained successor. Disabling the UPnP service or blocking incoming SUBSCRIBE requests on port 1900 can mitigate external exposure, but this may impact legitimate network functionality [1].