{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-exploitation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-16084"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PicoClaw (0.2.9 and earlier)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","remote-exploitation","sipeed","picoclaw"],"_cs_type":"advisory","_cs_vendors":["Sipeed"],"content_html":"\u003cp\u003eA high-severity server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16084, has been discovered in Sipeed PicoClaw, affecting all versions up to and including 0.2.9. The weakness resides within the \u003ccode\u003eweb_fetch\u003c/code\u003e function located in the \u003ccode\u003epkg/tools/integration/web.go\u003c/code\u003e file, allowing for remote exploitation without authentication. Attackers can manipulate server-side requests to access internal network resources or bypass external restrictions. A public exploit for this vulnerability is available, increasing the immediate risk of exploitation. Defenders should prioritize patching this vulnerability to prevent potential network compromise and data exposure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to a vulnerable Sipeed PicoClaw server, specifically targeting the \u003ccode\u003eweb_fetch\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds a malicious URL, which could point to an internal network resource (e.g., \u003ccode\u003e192.168.1.100\u003c/code\u003e, \u003ccode\u003elocalhost\u003c/code\u003e) or a controlled external service, within the request parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eweb_fetch\u003c/code\u003e function in \u003ccode\u003epkg/tools/integration/web.go\u003c/code\u003e processes this attacker-controlled input without sufficient validation or sanitization.\u003c/li\u003e\n\u003cli\u003eAs a result, the Sipeed PicoClaw server's process (e.g., \u003ccode\u003epicoclaw\u003c/code\u003e) initiates an unexpected outbound network connection to the URL specified by the attacker.\u003c/li\u003e\n\u003cli\u003eThe server acts as an unwitting proxy, making a request on behalf of the attacker to the target resource.\u003c/li\u003e\n\u003cli\u003eThe response from the target resource is then transmitted back to the Sipeed PicoClaw server, which may relay it to the attacker, potentially exposing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the server's elevated access to perform actions such as internal network enumeration, port scanning, accessing sensitive services, or bypassing firewall rules.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-16084 can lead to significant network exposure and potential data exfiltration. Attackers can use the vulnerable PicoClaw server to access services and systems on internal networks that are otherwise inaccessible from the internet. This includes scanning internal ports, accessing internal APIs, or retrieving sensitive data from other internal applications. The public availability of an exploit significantly increases the likelihood of widespread attacks, making unpatched systems prime targets for network reconnaissance and further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patch associated with commit \u003ccode\u003ec15aac21fe05ee103a470e1104bc891754e83392\u003c/code\u003e to all Sipeed PicoClaw installations to mitigate CVE-2026-16084.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Possible SSRF Outbound Connection from Sipeed PicoClaw (CVE-2026-16084)\u0026quot; to your SIEM to identify suspicious outbound network connections originating from the \u003ccode\u003epicoclaw\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive network connection logging for all servers running Sipeed PicoClaw to monitor for unexpected outbound traffic to internal or unusual external IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T09:18:22Z","date_published":"2026-07-18T09:18:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sipeed-picoclaw-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability, CVE-2026-16084, has been identified in Sipeed PicoClaw versions up to 0.2.9, allowing remote exploitation due to a weakness in the `web_fetch` function of `pkg/tools/integration/web.go`, with a public exploit available.","title":"Remote Server-Side Request Forgery in Sipeed PicoClaw (CVE-2026-16084)","url":"https://feed.craftedsignal.io/briefs/2026-07-sipeed-picoclaw-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote-Exploitation","version":"https://jsonfeed.org/version/1.1"}