[nightpool]

Can you speak a little bit more to the stats in the OP?

* 135k+ OpenClaw instances are publicly exposed

* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

Is this accurate? This is definitely a very different picture then the one you paint

[stingraycharles]

That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).

[bootsmann]

The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.

[nightpool]

I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(

[ctoth]

Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?

[nightpool]

The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.

[pacificpendant]

I’m not the person you’re talking to but the stats are copied from the second link in the post, the web archive one.

[steipete]

Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.

[nightpool]

Definitely agree—that's why I hoped the openclaw maintainer would have been able to speak to those numbers and whether or not they were accurate.