CVE-2025-57176 is a critical vulnerability affecting the rfpiped service running on TCP port 555 in Ceragon Networks and Siklu Communication EtherHaul series devices, specifically tested on models 8010TX and 1200FX with firmware versions from 7.4.0 through 10.7.3. The vulnerability allows unauthenticated attackers to upload arbitrary files to any writable location on the affected device. The file upload mechanism uses weak encryption that only protects metadata, while the actual file contents are transmitted in cleartext, exposing sensitive data to interception. Crucially, the service performs no authentication or path validation, enabling attackers to place malicious files anywhere on the device's filesystem. This can lead to remote code execution, persistent backdoors, or disruption of device functionality. The lack of authentication and path validation combined with cleartext transmission significantly lowers the barrier for exploitation, making this vulnerability highly dangerous in operational environments where these devices are deployed. Although no known exploits are currently reported in the wild, the vulnerability's characteristics suggest it could be weaponized quickly once publicly disclosed.

For European organizations, this vulnerability poses a severe risk, especially for critical infrastructure and telecommunications providers that rely on Ceragon Networks and Siklu EtherHaul devices for high-capacity wireless backhaul links. Successful exploitation could allow attackers to gain persistent control over network infrastructure components, leading to data interception, network outages, or manipulation of traffic. This could disrupt essential services such as internet connectivity, emergency communications, and enterprise WANs. Confidentiality is compromised due to cleartext transmission of uploaded files, integrity is at risk because attackers can place arbitrary files, and availability may be impacted if malicious payloads disrupt device operations. Given the strategic importance of telecommunications infrastructure in Europe, exploitation could have cascading effects on multiple sectors including finance, government, and utilities.

Immediate mitigation should include isolating affected devices from untrusted networks and restricting access to TCP port 555 to trusted management networks only. Network segmentation and firewall rules should be implemented to block unauthorized access to the rfpiped service. Organizations should monitor network traffic for unusual file upload attempts or connections to port 555. Since no patches are currently available, consider deploying compensating controls such as disabling the rfpiped service if operationally feasible. Vendors should be engaged to provide firmware updates addressing authentication, encryption of file contents, and path validation. Additionally, organizations should conduct thorough audits of device configurations and logs to detect any signs of compromise. Implementing strict access controls and multi-factor authentication on management interfaces can reduce risk exposure. Finally, incident response plans should be updated to address potential exploitation scenarios involving these devices.