CVE-2025-57176 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting multiple models of Ceragon Networks and Siklu Communication EtherHaul and MultiHaul Series microwave antennas. The vulnerability resides in the rfpiped service, which listens on TCP port 555 and allows unauthenticated remote attackers to upload arbitrary files to any writable location on the device's filesystem. The upload mechanism uses weak encryption that protects only metadata, while the actual file contents are transmitted in cleartext, exposing sensitive data to interception or manipulation during transit. Critically, the service performs no authentication or path validation, enabling attackers to place malicious files anywhere writable, potentially leading to unauthorized code execution, device compromise, or information disclosure. The affected product models include a broad range of Ceragon MultiHaul and EtherHaul devices widely used in microwave backhaul and point-to-point wireless communication networks. The vulnerability was published on September 15, 2025, with no known exploits in the wild at the time. The CVSS v3.1 base score is 6.5, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability. This vulnerability poses a significant risk to the confidentiality and integrity of communications and device operation in critical telecom infrastructure if exploited. Organizations using these devices should prioritize mitigation to prevent unauthorized access and file uploads.

The vulnerability allows unauthenticated remote attackers to upload arbitrary files to critical microwave antenna devices, potentially leading to several adverse impacts. Confidentiality is at risk because file contents are transmitted in cleartext and can be intercepted, and attackers can upload malicious files that may exfiltrate sensitive data. Integrity is compromised as attackers can overwrite or add files, potentially injecting malicious code or altering device configurations. Although availability is not directly impacted, successful exploitation could lead to device instability or indirect denial of service through malicious payloads. Given that these devices are often part of critical telecommunications infrastructure, exploitation could disrupt network communications, degrade service quality, or facilitate further attacks within the network. The ease of exploitation (no authentication or user interaction required) increases the likelihood of attacks, especially in environments where port 555 is exposed or insufficiently protected. The broad range of affected models means many organizations worldwide could be vulnerable, particularly telecom operators and enterprises relying on these microwave links for backhaul connectivity.

1. Immediately restrict network access to TCP port 555 on all affected devices using firewalls, access control lists, or network segmentation to limit exposure to trusted management networks only. 2. Monitor network traffic for unusual file upload attempts or connections to port 555 from unauthorized sources. 3. Implement strong encryption and authentication controls at the network perimeter to prevent unauthorized access to device management interfaces. 4. Coordinate with Ceragon Networks / Siklu Communication for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 5. Conduct thorough audits of device file systems to detect and remove any unauthorized or suspicious files. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 7. Review and harden device configurations to disable unnecessary services or restrict writable directories where possible. 8. Establish incident response procedures specifically for microwave antenna infrastructure to quickly respond to potential compromises.