CVE-2025-57176: Unauthenticated File Upload in Ceragon Siklu Devices

Overview: Unauthenticated File Upload Threatens Ceragon Siklu Devices

Runtime Rebel is issuing an advisory regarding a significant vulnerability, CVE-2025-57176, affecting various models within the Ceragon Siklu MultiHaul and EtherHaul series. This flaw, categorized as an “Unrestricted Upload of File with Dangerous Type” (CWE-434), allows unauthenticated attackers to upload arbitrary files to the target equipment. Such a capability can lead to unauthorized modification of device configurations, remote code execution (RCE), or the establishment of persistent access for malicious actors, directly impacting the integrity and availability of critical communications infrastructure globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged this vulnerability, noting the existence of a public Proof of Concept (PoC) as authored by semaja22, though no active exploitation has been reported to CISA at this time, according to CISA’s advisory ICSA-26-069-04.

Technical Analysis: CVE-2025-57176 and Its Implications

The core of CVE-2025-57176 lies within the rfpiped service, listening on TCP port 555 on affected Ceragon Siklu devices. This service is vulnerable to unauthenticated file uploads, meaning an attacker does not require any credentials to write files to any writable location on the device’s filesystem. Furthermore, the file upload process employs weak encryption (metadata only), with file contents transmitted in cleartext. Critically, the service performs no authentication or path validation, amplifying the potential for malicious activity.

The CVSS v3.1 Base Score for this vulnerability is 5.3 (Medium), with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. While the stated integrity impact is ‘None’ in the official CVSS vector, the nature of an arbitrary file upload — especially to ‘any writable location’ — inherently poses a severe risk to system integrity. Attackers could upload malicious scripts, modified configuration files, or even firmware images, potentially leading to a full compromise of the device. This capability could be leveraged for Privilege Escalation, further Lateral Movement within a network, or establishing a covert C2 channel.

Affected Products and Versions

The vulnerability impacts a wide range of Ceragon Siklu products, which are commonly deployed in communications infrastructure worldwide. Organizations running these devices must verify their versions. Affected models include:

• Ceragon MultiHaul Series:
  • MH-B100-CCS: all versions prior to R2.4.0
  • MH-T200-CCC: all versions prior to R2.4.0
  • MH-T200-CNN: all versions prior to R2.4.0
  • MH-T201-CNN: all versions prior to R2.4.0
• Ceragon EtherHaul Series:
  • EH-8010FX: all versions prior to R10.8.1
  • EH-500TX, EH-600TX, EH-614TX, EH-700TX, EH-710TX, EH-1200TX, EH-1200FX, EH-2200FX, EH-2500FX, EH-5500FD: all versions prior to R7.7.12

Actionable Recommendations and Mitigation for Ceragon Siklu Devices

To address this critical vulnerability and prevent potential compromise, organizations leveraging Ceragon Siklu MultiHaul and EtherHaul series devices must prioritize the following actions. Effectively mitigating unauthenticated file upload in Ceragon networks requires a multi-layered approach combining immediate patching with robust network segmentation and access control policies.

Prioritized Firmware Updates

The most direct and effective remediation is to update the device firmware to the patched versions provided by Ceragon. This is the single most important action defenders must take today.

• MultiHaul Models: Install firmware version R2.4.0 for affected MH-B100-CCS, MH-T200-CCC, MH-T200-CNN, and MH-T201-CNN units.
• EtherHaul EH-8010FX: Install firmware version R10.8.1.
• Other EtherHaul Models: Install firmware version R7.7.12 for EH-500TX, EH-600TX, EH-614TX, EH-700TX, EH-710TX, EH-1200TX, EH-1200FX, EH-2200FX, EH-2500FX, and EH-5500FD models.

Access to these updates and further information can be found on the Ceragon portal (login required) at https://portal.ceragon.com/.

Hardening Management Access

Beyond patching, implementing stringent network security controls is essential to minimize exposure, especially for devices within critical infrastructure sectors. Organizations should seek to remediate the potential for CVE-2025-57176 rfpiped service exposure by enforcing:

• Private Management IP Addresses: Ensure all management IP addresses for these devices utilize private subnets, as defined by RFC 1918. Public exposure of management interfaces is neither supported nor recommended.
• Network Segmentation: Protect management networks with dedicated security controls, including:
  • Firewalls: Implement robust firewall rules to restrict access to the rfpiped service (TCP port 555) and other management interfaces to trusted sources only.
  • Access Control Lists (ACLs): Apply strict ACLs on routers and switches to limit connectivity.
  • Network Address Translation (NAT) / Secure Management Domains: Employ these methods to create secure management zones, reducing direct exposure.
• Internal Security Controls: Verify that all affected radio units are placed behind internal security controls and adhere strictly to organizational authentication and access-control policies.
• VPN for Remote Access: When remote access is necessary, utilize secure Virtual Private Networks (VPNs). It is crucial to ensure VPN solutions are updated to the most current versions, recognizing that a VPN’s security is contingent on the security of connected devices.

CISA consistently recommends that organizations perform thorough impact analysis and risk assessments prior to deploying defensive measures. For broader guidance on safeguarding control systems, consult CISA’s resources on ICS cybersecurity, including defense-in-depth strategies and targeted cyber intrusion detection methodologies.

Conclusion

The unauthenticated file upload vulnerability in Ceragon Siklu MultiHaul and EtherHaul devices presents a clear and present danger, particularly for the global communications sector. While direct exploitation in the wild has not been widely reported to CISA, the existence of a public PoC underscores the urgency. Security teams must prioritize applying the vendor-provided firmware updates and reinforce network segmentation and access controls to protect these critical assets from potential compromise. Proactive defense measures are paramount to maintain the integrity and availability of essential services.