CVE-2025-57176: Unauthenticated File Upload Threatens Ceragon Siklu Microwave Backhaul

Microwave backhaul links serve as the invisible backbone for critical communications infrastructure worldwide. From connecting remote cell towers to linking industrial facilities, these devices are often deployed in hard-to-reach locations, where they are expected to operate autonomously and securely. However, a recent vulnerability identified in Ceragon Networks’ Siklu MultiHaul and EtherHaul series reminds us that "out of sight" must not mean "out of mind" for security teams.

Designated as CVE-2025-57176, this vulnerability exposes a critical flaw in how these devices handle file transfers, potentially allowing attackers to compromise the integrity of the equipment without valid credentials.

Vulnerability Analysis

At its core, CVE-2025-57176 is an Unrestricted Upload of File with Dangerous Type (CWE-434). The vulnerability resides in the rfpiped service, which listens on TCP port 555. This service is intended for remote file management but suffers from a catastrophic lack of security controls.

The Mechanics of the Flaw

The vulnerability allows for unauthenticated file uploads to any writable location on the device. This means an attacker does not need a username, password, or API token to interact with the service. Furthermore, the transmission is insecure:

1. Lack of Authentication: The rfpiped service accepts connections and file transfer commands without verifying the identity of the requester.
2. Weak Encryption: While metadata may receive some form of obfuscation, the actual file contents are transmitted in cleartext.
3. No Path Validation: The device does not restrict where files can be saved. If the attacker knows the filesystem structure, they can write to sensitive configuration directories.

The Risk Profile

While the CVSS v3.1 base score is 5.3 (Medium), the operational impact is significant. An attacker exploiting this vulnerability could:

• Overwrite Configuration Files: By uploading a malicious configuration file, an attacker could alter the radio's operational parameters, potentially causing a denial of service (DoS) or rerouting traffic.
• Persistence: Upload scripts or binaries that execute upon reboot or specific triggers, establishing a persistent foothold in the network.
• Credential Harvesting: Although the upload is unauthenticated, subsequent actions (like reading uploaded files) might allow an attacker to dump stored secrets if combined with other logic flaws.

Affected Products

The advisory confirms that the following devices are running vulnerable firmware:

• MultiHaul Series: MH-B100-CCS, MH-T200-CCC, MH-T200-CNN, MH-T201-CNN (Firmware versions prior to R2.4.0)
• EtherHaul Series: EH-8010FX, EH-500TX, EH-600TX, EH-614TX, EH-700TX, EH-710TX, EH-1200TX, EH-1200FX, EH-2200FX, EH-2500FX, EH-5500FD (Firmware versions vary, see remediation below)

Detection and Threat Hunting

Identifying whether this vulnerability is being scanned or exploited requires a combination of network traffic analysis and asset management. Because the traffic uses a specific port (TCP 555) and often contains cleartext payloads, network defenders have distinct indicators to look for.

Network Traffic Analysis (KQL)

If you are forwarding network logs (Firewall, NetFlow, or Zeek/Bro) to Microsoft Sentinel, use the following KQL query to detect suspicious activity targeting the rfpiped service.

let Port = 555;
let TimeWindow = 1h;
DeviceNetworkEvents
| where TimeGenerated > ago(TimeWindow)
| where DestinationPort == Port
| where ActionType == "InboundConnectionAccepted" or RemotePort == Port
| extend DeviceVendor = iff(DeviceName contains "MultiHaul" or DeviceName contains "EtherHaul", "Ceragon", "Unknown")
| where DeviceVendor == "Ceragon" or IPAddress isin ("<Insert_Known_Ceragon_IPs>")
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SrcIpAddr, DstIpAddr, DeviceName, DestinationPort
| order by count_ desc

Vulnerability Scanning (Bash)

For security administrators managing a large fleet of these devices, you can use a simple Bash script leveraging nmap to scan a subnet for devices that have port 555 exposed. This is useful for identifying devices that are inadvertently reachable from the management network.

#!/bin/bash

# Define the target subnet range (Change according to your network topology)
TARGET_SUBNET="192.168.100.0/24"
TARGET_PORT="555"

echo "[*] Scanning $TARGET_SUBNET for open TCP port $TARGET_PORT (rfpiped service)..."

# nmap scan to detect open port 555
nmap -p $TARGET_PORT --open -oG - $TARGET_SUBNET | grep "$TARGET_PORT/open"

echo "[*] Scan complete. Please review the list of IPs."
echo "[!] REMINDER: Ensure these devices are patched and behind ACLs."

Mitigation and Remediation

Addressing CVE-2025-57176 requires a two-pronged approach: immediate patching to remove the vulnerability, and network hardening to reduce the attack surface.

1. Firmware Updates (The Fix)

Ceragon has released specific firmware updates to patch this vulnerability. Apply these updates immediately based on your device model:

• MultiHaul Models: Upgrade to firmware version R2.4.0 or later.
• EtherHaul EH-8010FX: Upgrade to firmware version R10.8.1 or later.
• Other EtherHaul Models: Upgrade to firmware version R7.7.12 or later.

2. Network Segmentation & Access Control

Until patches are deployed, or as a permanent security posture, ensure the following controls are in place:

• Use RFC 1918 Addresses: Ensure management interfaces are assigned private IP addresses only.
• Restrict Traffic via ACLs: Configure firewalls to strictly deny access to TCP port 555 from unauthorized networks. Only allow access from specific management subnets.
• Eliminate Internet Exposure: Under no circumstances should the management interface or port 555 be accessible from the public internet. If remote access is required, utilize a VPN with Multi-Factor Authentication (MFA).

3. Post-Patch Verification

After applying the firmware, verify that the rfpiped service behavior has changed (e.g., it now requires authentication or is disabled by default) and that TCP 555 is no longer accepting unauthenticated connections.

Conclusion

CVE-2025-57176 represents a classic supply chain risk in OT and ICS environments: a service designed for remote management becomes a wide-open door for attackers. For organizations relying on Ceragon Siklu products, the priority must be patching the firmware and isolating the management plane. As we continue to see critical infrastructure targeted by sophisticated actors, the hygiene of "edge" devices like microwave backhaul links is just as important as securing the core data center.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub