Skip to content
Threat Feed
high threat

Shibby Tomato Stack-Based Buffer Overflow Vulnerability (CVE-2026-10124)

A stack-based buffer overflow vulnerability exists in Shibby Tomato up to version 1.28 in the rip_zebra_read_ipv4 function within the /usr/sbin/ripd component (Zserv Handler), allowing a remote attacker to execute arbitrary code.

A stack-based buffer overflow vulnerability, identified as CVE-2026-10124, affects Shibby Tomato firmware up to version 1.28. The vulnerability resides in the rip_zebra_read_ipv4 function of the /usr/sbin/ripd binary, specifically within the Zserv Handler component. Successful exploitation of this flaw allows a remote attacker to execute arbitrary code on the affected system. The exploit is publicly known and may be utilized. Note that Shibby Tomato is superseded by FreshTomato, and the affected versions are no longer supported by the maintainer.

Attack Chain

  1. The attacker identifies a vulnerable Shibby Tomato device running a version up to 1.28.
  2. The attacker crafts a malicious network packet targeting the Zserv Handler component.
  3. The malicious packet is sent to the device, specifically targeting the /usr/sbin/ripd process.
  4. The rip_zebra_read_ipv4 function processes the packet without proper bounds checking.
  5. A stack-based buffer overflow occurs when the function attempts to write data beyond the allocated buffer.
  6. The attacker overwrites parts of the stack, including the return address.
  7. When the rip_zebra_read_ipv4 function returns, control is transferred to the attacker-controlled address.
  8. The attacker executes arbitrary code on the device, potentially gaining full control.

Impact

Successful exploitation of CVE-2026-10124 allows an attacker to execute arbitrary code on the affected Shibby Tomato device. This can lead to a complete compromise of the device, enabling the attacker to perform actions such as data theft, modification of device settings, or use the device as part of a botnet. Given that the software is no longer supported, a large number of older devices deployed could be exposed.

Recommendation

  • Upgrade to FreshTomato or another supported firmware to eliminate CVE-2026-10124.
  • Monitor network traffic for suspicious packets targeting the /usr/sbin/ripd process using the Sigma rule provided below.
  • Implement network segmentation to limit the exposure of vulnerable devices.

Detection coverage 2

Detect CVE-2026-10124 Exploitation Attempt - Suspicious Network Traffic to RIPD

high

Detects attempts to exploit CVE-2026-10124 by monitoring network connections to the RIPD process on Tomato routers.

sigma tactics: initial_access techniques: T1190 sources: network_connection, linux

Detect CVE-2026-10124 - RIPD Process Monitoring

medium

Detects the RIPD process being started, which may indicate exploitation attempts for CVE-2026-10124.

sigma tactics: initial_access techniques: T1190 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →