<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tomato (&lt;= 1.28.0000) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tomato--1.28.0000/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 08:28:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tomato--1.28.0000/feed.xml" rel="self" type="application/rss+xml"/><item><title>Shibby Tomato Firmware Vulnerability CVE-2026-15544 Enables Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-cve-2026-15544/</link><pubDate>Mon, 13 Jul 2026 08:28:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-cve-2026-15544/</guid><description>A stack-based buffer overflow vulnerability, identified as CVE-2026-15544, exists in the `getupsvar` function within the `www/apcupsd/tomatodata.cgi` file of the `apcupsd` component in Shibby Tomato firmware versions up to and including 1.28.0000, allowing a remote attacker to achieve arbitrary code execution by manipulating the `Field` argument.</description><content:encoded><![CDATA[<p>A critical stack-based buffer overflow vulnerability, tracked as CVE-2026-15544, has been identified in Shibby Tomato firmware versions up to 1.28.0000. This flaw specifically affects the <code>getupsvar</code> function within the <code>www/apcupsd/tomatodata.cgi</code> file, part of the <code>apcupsd</code> component. By manipulating the <code>Field</code> argument, an attacker can trigger the buffer overflow, leading to remote code execution. This vulnerability can be exploited remotely, and details of the exploit have been publicly disclosed, increasing the risk of active exploitation. The Shibby Tomato project has been superseded by FreshTomato, indicating that official updates for the vulnerable versions may not be available, leaving affected devices exposed to significant risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an internet-facing Shibby Tomato device running a vulnerable firmware version (up to 1.28.0000).</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>www/apcupsd/tomatodata.cgi</code> endpoint on the vulnerable device.</li>
<li>The crafted request includes a specially malformed or excessively long <code>Field</code> argument designed to overflow a buffer.</li>
<li>The <code>getupsvar</code> function in the <code>apcupsd</code> component processes the malicious <code>Field</code> argument without proper bounds checking.</li>
<li>A stack-based buffer overflow occurs, overwriting critical data on the stack.</li>
<li>The attacker injects and executes arbitrary code on the affected Shibby Tomato device, achieving remote code execution.</li>
<li>The attacker gains full control over the compromised router, potentially allowing for network pivoting, data exfiltration, or further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15544 leads to remote code execution (RCE) on the vulnerable Shibby Tomato device. This grants attackers full control over the compromised router, enabling them to alter device settings, hijack network traffic, establish persistence, or use the device as a pivot point for further attacks into the internal network. Given that these devices often act as network gateways, an RCE can have severe consequences, compromising the entire network behind the router. The public disclosure of the exploit increases the likelihood of widespread attacks against unpatched devices. There is no information available on specific victims or sectors at this time.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Shibby Tomato firmware to a patched version if available, or migrate to FreshTomato as the project is superseded.</li>
<li>Apply available patches for CVE-2026-15544 immediately to all Shibby Tomato devices running affected versions up to 1.28.0000.</li>
<li>Limit network exposure of administrative interfaces for devices running <code>apcupsd</code> to trusted networks only.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>buffer-overflow</category><category>rce</category><category>firmware</category><category>router</category><category>cve</category></item></channel></rss>