Executive Summary
In September 2025, a critical vulnerability (CVE-2025-57176) was identified in Ceragon Networks and Siklu Communication's EtherHaul and MultiHaul series devices. The 'rfpiped' service on TCP port 555 allowed unauthenticated file uploads to any writable location on the device. This flaw, present in firmware versions 7.4.0 through 10.7.3, utilized weak encryption for metadata and transmitted file contents in cleartext, lacking authentication and path validation. Exploitation could lead to unauthorized access and control over affected devices. (nvd.nist.gov)
This incident underscores the persistent risks associated with inadequate authentication mechanisms in network devices. Organizations must prioritize regular firmware updates and implement robust access controls to mitigate such vulnerabilities.
Why This Matters Now
The CVE-2025-57176 vulnerability highlights the critical need for secure authentication and encryption practices in network devices. As similar vulnerabilities continue to emerge, organizations must proactively update firmware and enforce stringent security protocols to protect against unauthorized access and potential network compromises.
Attack Path Analysis
An attacker exploited the unauthenticated file upload vulnerability in the rfpiped service on TCP port 555 of Ceragon Networks/Siklu Communication EtherHaul devices, allowing them to upload malicious files. These files enabled the attacker to execute arbitrary commands, escalating their privileges on the device. With elevated access, the attacker moved laterally to other devices within the network. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised devices. Finally, the attacker disrupted network operations by modifying device configurations or deploying destructive payloads.
Kill Chain Progression
Initial Compromise
Description
Exploited unauthenticated file upload vulnerability in rfpiped service on TCP port 555 to upload malicious files.
Related CVEs
CVE-2025-57176
CVSS 6.5The rfpiped service on TCP port 555 in Ceragon Networks / Siklu Communication EtherHaul series allows unauthenticated file uploads to any writable location on the device.
Affected Products:
Ceragon Networks EtherHaul 8010TX – 7.4.0 through 10.7.3
Ceragon Networks EtherHaul 1200FX – 7.4.0 through 10.7.3
Exploit Status:
proof of conceptCVE-2025-57174
CVSS 9.8The rfpiped service on TCP port 555 in Siklu Communications EtherHaul 8010TX and 1200FX devices uses static AES encryption keys hardcoded in the binary, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication.
Affected Products:
Siklu Communications EtherHaul 8010TX – 7.4.0 through 10.7.3
Siklu Communications EtherHaul 1200FX – 7.4.0 through 10.7.3
Exploit Status:
proof of conceptCVE-2024-58300
CVSS 8.7Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request, enabling direct SSH access to the device.
Affected Products:
Siklu Communications MultiHaul TG series – before 2.0.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Ingress Tool Transfer
Valid Accounts
Command and Scripting Interpreter
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure vulnerability in microwave antenna systems enables unauthenticated file uploads, compromising network backbone security and encrypted traffic protection capabilities.
Utilities
Power grid and utility communications networks using affected Ceragon equipment face arbitrary file upload risks, threatening operational technology and industrial control systems.
Government Administration
Government communications infrastructure vulnerability allows remote exploitation of microwave links, potentially compromising secure government networks and sensitive data transmission channels.
Oil/Energy/Solar/Greentech
Energy sector communications infrastructure faces unencrypted traffic exposure and lateral movement risks through compromised microwave antenna systems supporting critical operational networks.
Sources
- Ceragon Siklu MultiHaul and EtherHaul Serieshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-069-04Verified
- NVD - CVE-2025-57176https://nvd.nist.gov/vuln/detail/CVE-2025-57176Verified
- NVD - CVE-2025-57174https://nvd.nist.gov/vuln/detail/CVE-2025-57174Verified
- NVD - CVE-2024-58300https://nvd.nist.gov/vuln/detail/CVE-2024-58300Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies, thereby reducing the blast radius of the compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may have been constrained by enforcing strict access controls and monitoring, potentially reducing the likelihood of unauthorized file uploads.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-based access controls, reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling east-west traffic, reducing the reachability of other devices.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been limited by continuous monitoring and control of network traffic across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been constrained by enforcing strict egress policies, reducing the likelihood of unauthorized data transfers.
The attacker's ability to disrupt network operations would likely have been limited by the cumulative enforcement of segmentation, access controls, and traffic monitoring, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Network Operations
- Data Security
- Service Delivery
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive configuration data and unauthorized access to network devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict device-to-device communication and limit lateral movement.
- • Deploy Inline IPS (Suricata) to detect and prevent unauthorized file uploads and command execution attempts.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure all devices are updated to firmware versions that address known vulnerabilities, such as CVE-2025-57176.
