Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote command injection in PicoClaw Web Launcher Management Plane (versions up to 0.2.4) allows unauthenticated attackers to execute arbitrary system commands via the /api/gateway/restart endpoint. CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication. Proof-of-concept code exists (CVSS:E:P). Vendor has not responded to responsible disclosure (reported via GitHub issue #2307), indicating no official patch is available. The Web Launcher Management Plane component suggests this affects administrative/control interfaces, making it a high-priority target for internet-exposed deployments.
Technical ContextAI
PicoClaw is a component/framework associated with Sipeed hardware projects. This vulnerability involves CWE-77 (Command Injection), where unsanitized user input to the /api/gateway/restart endpoint is passed to system command execution functions. The affected component is described as the 'Web Launcher Management Plane,' suggesting a web-based administrative or control interface for gateway/device management. The CPE string (cpe:2.3:a:n/a:picoclaw) indicates limited standardized product tracking, complicating automated vulnerability scanning. Command injection occurs when an application constructs system commands using external input without proper validation or escaping, allowing attackers to inject additional commands using shell metacharacters (semicolons, pipes, backticks). The /api/gateway/restart endpoint likely accepts parameters that are directly concatenated into shell commands for restarting gateway services, creating the injection point.
RemediationAI
No vendor-released patch identified at time of analysis - the project maintainer (Sipeed) has not responded to responsible disclosure via GitHub issue #2307, and no fix commit or patched version beyond 0.2.4 is documented. IMMEDIATE COMPENSATING CONTROLS (critical for internet-exposed instances): (1) Block external access to /api/gateway/restart and all Web Launcher Management Plane endpoints using firewall rules or reverse proxy ACLs - restricts attack surface but prevents legitimate remote management; (2) Implement network segmentation to isolate PicoClaw management interfaces on trusted admin-only VLANs - reduces exposure but requires network architecture changes; (3) Deploy web application firewall (WAF) with command injection signatures targeting shell metacharacters in API parameters - provides detection/blocking but may generate false positives and won't stop all encoding bypasses; (4) If feasible, disable the /api/gateway/restart endpoint entirely at application or web server level if restart functionality is not operationally required - most effective mitigation but removes intended feature. Monitor GitHub repository (https://github.com/sipeed/picoclaw) and VulDB entry (https://vuldb.com/vuln/359530) for future patch announcements. Consider migrating to alternative management solutions if vendor remains unresponsive, as unpatched RCE in admin interfaces is unsustainable long-term.
Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP
Server-side request forgery in Sipeed PicoClaw up to version 0.2.9 allows remote attackers to manipulate the WebFetchToo
Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.Re
Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allo
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25663