{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tomato--1.28.0000/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-15544"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tomato (\u003c= 1.28.0000)"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","rce","firmware","router","cve"],"_cs_type":"threat","_cs_vendors":["Shibby"],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, tracked as CVE-2026-15544, has been identified in Shibby Tomato firmware versions up to 1.28.0000. This flaw specifically affects the \u003ccode\u003egetupsvar\u003c/code\u003e function within the \u003ccode\u003ewww/apcupsd/tomatodata.cgi\u003c/code\u003e file, part of the \u003ccode\u003eapcupsd\u003c/code\u003e component. By manipulating the \u003ccode\u003eField\u003c/code\u003e argument, an attacker can trigger the buffer overflow, leading to remote code execution. This vulnerability can be exploited remotely, and details of the exploit have been publicly disclosed, increasing the risk of active exploitation. The Shibby Tomato project has been superseded by FreshTomato, indicating that official updates for the vulnerable versions may not be available, leaving affected devices exposed to significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing Shibby Tomato device running a vulnerable firmware version (up to 1.28.0000).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewww/apcupsd/tomatodata.cgi\u003c/code\u003e endpoint on the vulnerable device.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially malformed or excessively long \u003ccode\u003eField\u003c/code\u003e argument designed to overflow a buffer.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetupsvar\u003c/code\u003e function in the \u003ccode\u003eapcupsd\u003c/code\u003e component processes the malicious \u003ccode\u003eField\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs, overwriting critical data on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code on the affected Shibby Tomato device, achieving remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the compromised router, potentially allowing for network pivoting, data exfiltration, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15544 leads to remote code execution (RCE) on the vulnerable Shibby Tomato device. This grants attackers full control over the compromised router, enabling them to alter device settings, hijack network traffic, establish persistence, or use the device as a pivot point for further attacks into the internal network. Given that these devices often act as network gateways, an RCE can have severe consequences, compromising the entire network behind the router. The public disclosure of the exploit increases the likelihood of widespread attacks against unpatched devices. There is no information available on specific victims or sectors at this time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Shibby Tomato firmware to a patched version if available, or migrate to FreshTomato as the project is superseded.\u003c/li\u003e\n\u003cli\u003eApply available patches for CVE-2026-15544 immediately to all Shibby Tomato devices running affected versions up to 1.28.0000.\u003c/li\u003e\n\u003cli\u003eLimit network exposure of administrative interfaces for devices running \u003ccode\u003eapcupsd\u003c/code\u003e to trusted networks only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T08:28:06Z","date_published":"2026-07-13T08:28:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-cve-2026-15544/","summary":"A stack-based buffer overflow vulnerability, identified as CVE-2026-15544, exists in the `getupsvar` function within the `www/apcupsd/tomatodata.cgi` file of the `apcupsd` component in Shibby Tomato firmware versions up to and including 1.28.0000, allowing a remote attacker to achieve arbitrary code execution by manipulating the `Field` argument.","title":"Shibby Tomato Firmware Vulnerability CVE-2026-15544 Enables Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-cve-2026-15544/"}],"language":"en","title":"CraftedSignal Threat Feed - Tomato (\u003c= 1.28.0000)","version":"https://jsonfeed.org/version/1.1"}