{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tomato-up-to-1.28/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-10124"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tomato (up to 1.28)","FreshTomato"],"_cs_severities":["high"],"_cs_tags":["cve","buffer-overflow","router"],"_cs_type":"threat","_cs_vendors":["Shibby"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-10124, affects Shibby Tomato firmware up to version 1.28. The vulnerability resides in the \u003ccode\u003erip_zebra_read_ipv4\u003c/code\u003e function of the \u003ccode\u003e/usr/sbin/ripd\u003c/code\u003e binary, specifically within the Zserv Handler component. Successful exploitation of this flaw allows a remote attacker to execute arbitrary code on the affected system. The exploit is publicly known and may be utilized. Note that Shibby Tomato is superseded by FreshTomato, and the affected versions are no longer supported by the maintainer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Shibby Tomato device running a version up to 1.28.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network packet targeting the Zserv Handler component.\u003c/li\u003e\n\u003cli\u003eThe malicious packet is sent to the device, specifically targeting the \u003ccode\u003e/usr/sbin/ripd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erip_zebra_read_ipv4\u003c/code\u003e function processes the packet without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs when the function attempts to write data beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites parts of the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003erip_zebra_read_ipv4\u003c/code\u003e function returns, control is transferred to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the device, potentially gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-10124 allows an attacker to execute arbitrary code on the affected Shibby Tomato device. This can lead to a complete compromise of the device, enabling the attacker to perform actions such as data theft, modification of device settings, or use the device as part of a botnet. Given that the software is no longer supported, a large number of older devices deployed could be exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to FreshTomato or another supported firmware to eliminate CVE-2026-10124.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious packets targeting the \u003ccode\u003e/usr/sbin/ripd\u003c/code\u003e process using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of vulnerable devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T16:22:30Z","date_published":"2026-05-30T16:22:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-10124/","summary":"A stack-based buffer overflow vulnerability exists in Shibby Tomato up to version 1.28 in the rip_zebra_read_ipv4 function within the /usr/sbin/ripd component (Zserv Handler), allowing a remote attacker to execute arbitrary code.","title":"Shibby Tomato Stack-Based Buffer Overflow Vulnerability (CVE-2026-10124)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-10124/"}],"language":"en","title":"CraftedSignal Threat Feed — Tomato (Up to 1.28)","version":"https://jsonfeed.org/version/1.1"}