External risk intelligence

Shibby Tomato Zserv Handler Remote Buffer Overflow Advisory

CVE advisorySeverity: HIGH (CVSS 7.4)

CVE-2026-10124

A vulnerability exists in the Zserv Handler component of Shibby Tomato firmware. A stack-based buffer overflow can occur remotely via manipulation of the rip_zebra_read_ipv4 function. This could impact system integrity and availability. The exploit has been publicly disclosed. This vulnerability affects products that a

2Halo Surface Signal

Memory Corruption

External exposure likelihood

Halo Surface Signal score for CVE-2026-10124

The vulnerability resides in a routing protocol daemon (ripd) within a router firmware. While network-reachable, these services are typically intended for internal or peer-to-peer routing communication and are not designed to be exposed directly to the public internet in standard deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The Zserv Handler component in Shibby Tomato firmware contains a vulnerability within its IPv4 reading function. This flaw allows for a stack-based buffer overflow to be triggered through manipulation. An attacker could exploit this remotely to affect the integrity and availability of the system.

  • Vulnerable function rip_zebra_read_ipv4
  • Stack-based buffer overflow
  • System compromise and data loss

Attack Path

How an attacker could exploit the issue

This vulnerability could allow an attacker to execute arbitrary code by exploiting a stack-based buffer overflow in the Zserv Handler component. The attack is remotely executable and has been publicly disclosed. Organizations using unsupported versions of Shibby Tomato are at risk.

  • Exposure condition: Network accessible function.
  • Attacker starting point: Unauthenticated network access.
  • Trigger and result: Trigger overflow for code execution.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in the Zserv Handler component of Shibby Tomato firmware could allow for remote attacks leading to a stack-based buffer overflow. This could impact system integrity and availability if exploited. The exploit details have been publicly disclosed, increasing the potential for its utilization. However, this vulnerability only affects products that are no longer supported by their maintainer and have been superseded by FreshTomato.

  • Likely attacker skill level: Low
  • Required access or conditions: Remote, no privileges needed
  • Business risk or urgency: Low, unsupported product

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A vulnerability has been publicly disclosed in Shibby Tomato firmware up to version 1.28, affecting the Zserv Handler component. This flaw, an overflow in the rip_zebra_read_ipv4 function, could allow for remote attacks, potentially impacting system integrity and availability. Given that this vulnerability affects products no longer supported by their maintainer, organizations should prioritize identifying and mitigating the risk to any remaining affected systems.

  • Find affected devices running this firmware.
  • Isolate or disable affected services.
  • Plan for firmware replacement.

Frequently asked questions

What is Shibby Tomato and what is it used for?

Shibby Tomato is a custom firmware for certain routers. It's used to provide enhanced functionality and control over network devices, often replacing the manufacturer's original firmware.

What is CVE-2026-10124? What kind of weakness does it represent?

CVE-2026-10124 describes a stack-based buffer overflow vulnerability in the rip_zebra_read_ipv4 function of the Zserv Handler component in Shibby Tomato firmware. This type of weakness (CWE-119, CWE-121) occurs when a program writes data beyond the allocated buffer space on the stack, potentially corrupting adjacent memory and allowing an attacker to execute code.

What are the conditions needed for an attacker to exploit CVE-2026-10124?

An attacker can exploit this vulnerability remotely. No authentication or special privileges are required to trigger the flaw, which involves manipulating the IPv4 reading function.

Who should be concerned about this vulnerability based on Halo Surface Signal?

This vulnerability is classified as external, meaning it could be reachable from the internet. However, the Halo Surface Signal indicates it's unlikely to be directly exposed, as router firmware services like this are typically for internal routing communication, not public internet access.

What is the first step for running this technology in response to CVE-2026-10124?

The immediate first step is to identify any devices still running the affected versions of Shibby Tomato firmware. Since the product is unsupported, planning for replacement or migration to supported firmware is the most practical long-term solution.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified