Shibby Tomato Firmware Vulnerability CVE-2026-15545 Leads to Remote Out-of-Bounds Write
A critical out-of-bounds write vulnerability (CVE-2026-15545) exists in Shibby Tomato firmware up to version 1.28.0000, specifically within the `main` function of the `www/apcupsd/tomatodata.cgi` file in the `apcupsd` component, which can be exploited remotely with a publicly available exploit, posing a significant risk to affected network devices.
A significant security vulnerability, identified as CVE-2026-15545, affects Shibby Tomato router firmware versions up to and including 1.28.0000. This flaw resides in the main function of the www/apcupsd/tomatodata.cgi file, part of the apcupsd component. The vulnerability is characterized as an out-of-bounds write, which can be triggered by remote manipulation. This issue carries a high CVSS v3.1 base score of 8.8, indicating severe potential impact. An exploit for this vulnerability is publicly available, increasing the urgency for affected users to address the issue. The Shibby Tomato project has been superseded by FreshTomato, suggesting that official patches for Shibby Tomato may not be available, leaving older installations at continued risk. Exploitation could lead to unauthorized access, denial of service, or potentially remote code execution on the affected router.
Attack Chain
- An unauthenticated or low-privileged remote attacker crafts a malicious HTTP request targeting the
www/apcupsd/tomatodata.cgiendpoint on a vulnerable Shibby Tomato router. - The crafted request manipulates input parameters processed by the
mainfunction within theapcupsdcomponent. - This manipulation triggers an out-of-bounds write condition in memory, allowing the attacker to overwrite sensitive data or execute arbitrary code.
- Successful exploitation leads to unauthorized control over the router, potentially compromising network traffic or enabling further attacks on connected devices.
Impact
Successful exploitation of CVE-2026-15545 can lead to severe consequences for organizations and individuals using affected Shibby Tomato routers. Due to the nature of an out-of-bounds write in a network device's firmware, attackers could achieve remote code execution, allowing them to gain full control over the router. This control enables threat actors to modify network configurations, intercept network traffic, launch further attacks on internal networks, or integrate the compromised device into a botnet. Given that routers are critical infrastructure, the impact can extend to complete network compromise, data exfiltration, or prolonged service disruption. The public availability of an exploit significantly lowers the bar for attackers, increasing the likelihood of widespread exploitation.
Recommendation
- Patch CVE-2026-15545 by upgrading Shibby Tomato firmware to a version beyond 1.28.0000, if available, or migrating to FreshTomato, which supersedes the affected project.
- Monitor web server logs for unusual or malformed HTTP requests directed at the
www/apcupsd/tomatodata.cgipath, especially those with excessively long or specially crafted query parameters. - Review network segmentation and access controls to limit exposure of router administrative interfaces to untrusted networks.