Tomato (Up to 1.28) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/tomato-up-to-1.28/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 30 May 2026 16:22:30 +0000Shibby Tomato Stack-Based Buffer Overflow Vulnerability (CVE-2026-10124)https://feed.craftedsignal.io/briefs/2026-05-cve-2026-10124/Sat, 30 May 2026 16:22:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-10124/A stack-based buffer overflow vulnerability exists in Shibby Tomato up to version 1.28 in the rip_zebra_read_ipv4 function within the /usr/sbin/ripd component (Zserv Handler), allowing a remote attacker to execute arbitrary code.A stack-based buffer overflow vulnerability, identified as CVE-2026-10124, affects Shibby Tomato firmware up to version 1.28. The vulnerability resides in the rip_zebra_read_ipv4 function of the /usr/sbin/ripd binary, specifically within the Zserv Handler component. Successful exploitation of this flaw allows a remote attacker to execute arbitrary code on the affected system. The exploit is publicly known and may be utilized. Note that Shibby Tomato is superseded by FreshTomato, and the affected versions are no longer supported by the maintainer.

Attack Chain

  1. The attacker identifies a vulnerable Shibby Tomato device running a version up to 1.28.
  2. The attacker crafts a malicious network packet targeting the Zserv Handler component.
  3. The malicious packet is sent to the device, specifically targeting the /usr/sbin/ripd process.
  4. The rip_zebra_read_ipv4 function processes the packet without proper bounds checking.
  5. A stack-based buffer overflow occurs when the function attempts to write data beyond the allocated buffer.
  6. The attacker overwrites parts of the stack, including the return address.
  7. When the rip_zebra_read_ipv4 function returns, control is transferred to the attacker-controlled address.
  8. The attacker executes arbitrary code on the device, potentially gaining full control.

Impact

Successful exploitation of CVE-2026-10124 allows an attacker to execute arbitrary code on the affected Shibby Tomato device. This can lead to a complete compromise of the device, enabling the attacker to perform actions such as data theft, modification of device settings, or use the device as part of a botnet. Given that the software is no longer supported, a large number of older devices deployed could be exposed.

Recommendation

  • Upgrade to FreshTomato or another supported firmware to eliminate CVE-2026-10124.
  • Monitor network traffic for suspicious packets targeting the /usr/sbin/ripd process using the Sigma rule provided below.
  • Implement network segmentation to limit the exposure of vulnerable devices.
]]>highthreatcvebuffer-overflowrouter