{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-15548/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-15548"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tomato (All versions up to 1.28.0000)"],"_cs_severities":["high"],"_cs_tags":["router","firmware","buffer-overflow","rce","CVE-2026-15548"],"_cs_type":"advisory","_cs_vendors":["Shibby"],"content_html":"\u003cp\u003eA significant security vulnerability, identified as CVE-2026-15548, has been discovered in Shibby Tomato router firmware, affecting all versions up to and including 1.28.0000. This flaw resides within the \u003ccode\u003esub_407220\u003c/code\u003e function of the \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e daemon, specifically impacting the DNS List Rendering component. The vulnerability is a stack-based buffer overflow, which can be remotely triggered by a malicious actor. Successful exploitation allows for the execution of arbitrary code, leading to complete compromise of the affected router. Given that the Shibby Tomato project is superseded by FreshTomato, users of the affected firmware are advised to migrate or upgrade immediately to mitigate this high-severity risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Shibby Tomato router running a vulnerable firmware version (up to 1.28.0000) that is accessible remotely via its HTTP management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially designed HTTP request targeting the vulnerable DNS List Rendering component, which is handled by the \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe crafted request contains an oversized or malformed input directed towards the \u003ccode\u003esub_407220\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esub_407220\u003c/code\u003e function processes this malicious input, it causes a stack-based buffer overflow within the \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical memory regions on the stack, allowing the attacker to inject and execute arbitrary code on the router.\u003c/li\u003e\n\u003cli\u003eSuccessful remote code execution grants the attacker full control over the compromised Shibby Tomato router, potentially enabling further network penetration or data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15548 leads to remote code execution on the affected Shibby Tomato router. This gives attackers complete control over the device, potentially allowing them to modify router configurations, intercept network traffic, launch further attacks against internal networks, or use the device as a pivot point. The vulnerability has a CVSS v3.1 base score of 8.8 (High), indicating severe impacts on confidentiality, integrity, and availability. All users of Shibby Tomato firmware up to version 1.28.0000 are at risk. The project being superseded by FreshTomato highlights the need for immediate action from users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatching/Migration\u003c/strong\u003e: Migrate immediately to FreshTomato firmware or a patched version if available, as Shibby Tomato is no longer maintained.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Segmentation\u003c/strong\u003e: Isolate router management interfaces on a dedicated management network, restricting access only to trusted administrative hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLog Monitoring\u003c/strong\u003e: Review router web server logs for suspicious or malformed HTTP requests, especially those targeting DNS list functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T10:17:59Z","date_published":"2026-07-13T10:17:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-overflow/","summary":"A critical stack-based buffer overflow vulnerability (CVE-2026-15548) exists in Shibby Tomato router firmware versions up to 1.28.0000, specifically in the `sub_407220` function of the `/usr/sbin/httpd` component related to DNS List Rendering, allowing remote attackers to achieve high impact on confidentiality, integrity, and availability.","title":"Shibby Tomato Router Firmware Stack-Based Buffer Overflow (CVE-2026-15548)","url":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-15548","version":"https://jsonfeed.org/version/1.1"}