CVE-2025-57174
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on Siklu Etherhaul devices by exploiting hardcoded AES encryption keys in the rfpiped service. Attackers can craft encrypted packets to gain complete control of affected devices. This affects Etherhaul 8010TX and 1200FX devices running firmware 7.4.0 through 10.7.3, and potentially other Etherhaul series devices with shared firmware.
💻 Affected Systems
- Siklu Communications Etherhaul 8010TX
- Siklu Communications Etherhaul 1200FX
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, disrupt critical communications infrastructure, or deploy ransomware.
Likely Case
Attackers gain remote shell access to modify configurations, intercept network traffic, or use devices as footholds for lateral movement within the network.
If Mitigated
If devices are behind firewalls with strict network segmentation and access controls, exploitation risk is reduced but still possible from compromised internal systems.
🎯 Exploit Status
Detailed technical analysis and exploitation details are publicly available. The static AES keys being identical across devices makes exploitation straightforward once the encryption method is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown - Check http://ceragon.com or http://etherhaul.com for updates
Restart Required: Yes
Instructions:
1. Contact Siklu Communications for firmware updates. 2. Download and verify the firmware patch. 3. Backup device configuration. 4. Apply firmware update via management interface. 5. Reboot device. 6. Verify service is no longer vulnerable.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external and internal access to TCP port 555 on affected devices
iptables -A INPUT -p tcp --dport 555 -j DROP
iptables -A OUTPUT -p tcp --dport 555 -j DROP
Service Disablement
allDisable the rfpiped service if not required for device functionality
killall rfpiped
remove or rename rfpiped binary if possible
🧯 If You Can't Patch
- Isolate affected devices in dedicated VLAN with strict firewall rules allowing only necessary management traffic
- Implement network monitoring and IDS/IPS rules to detect exploitation attempts on port 555
🔍 How to Verify
Check if Vulnerable:
Check if device is listening on TCP port 555: nmap -p 555 <device_ip> or netstat -an | grep 555 on deviceCheck Version:
Check firmware version via device web interface or CLI: show version or similar commandVerify Fix Applied:
Verify port 555 is no longer listening and test with proof-of-concept exploit if available📡 Detection & Monitoring
Log Indicators:
- Unusual connections to port 555
- Unexpected process execution from rfpiped service
- Failed authentication attempts followed by successful command execution
Network Indicators:
- Encrypted traffic to port 555 with predictable patterns
- Outbound connections from device after exploitation
- Unusual command and control traffic
SIEM Query:
source_port:555 OR dest_port:555 AND (event_type:connection OR process_name:rfpiped)