External risk intelligence

Siklu Etherhaul RCE via Hardcoded Encryption Keys

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-57174

The vulnerable service runs on network equipment (Etherhaul) designed for wireless backhaul and connectivity. These devices frequently act as edge or infrastructure gateways, making the listening management service reachable over the network in common deployment scenarios where such equipment is used to bridge remote locations.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Siklu Etherhaul devices allows unauthenticated attackers to execute arbitrary commands by exploiting hardcoded encryption keys. While this specific issue appears to be a repeat of a previous vulnerability, its presence on network infrastructure devices poses a significant risk of unauthorized access and control over network operations. The primary concern is confirming whether these devices are in use and exposed.

  • Insecure encryption keys allow unauthenticated command execution.
  • Critical infrastructure devices are at risk of compromise.
  • Confirm exposure and relevance for network security.

Attack Path

How an attacker could exploit the issue

An attacker can reach the vulnerable service on Siklu devices by sending specially crafted network packets. Because the service uses hardcoded, identical encryption keys across all devices, an attacker can forge encrypted packets that the device will accept. These packets can then be used to execute arbitrary commands on the device, leading to a complete compromise.

  • Network exposure required.
  • Static, hardcoded encryption keys.
  • Arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

The `rfpiped` service on Siklu Etherhaul devices, which handles network traffic, uses hardcoded, identical AES encryption keys. This flaw allows any attacker on the network to craft malicious packets to execute commands on the device without needing any credentials. This could impact the confidentiality, integrity, and availability of the affected network equipment.

  • Network command execution.
  • Crafted packets exploit weak encryption.
  • Device compromise and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that the affected technology consists of network devices (Siklu Etherhaul) and a service listening on a network port, the infrastructure team or network/security team is likely responsible for managing these devices. The first practical step is to inventory all deployed Etherhaul devices, confirm their network exposure and criticality, identify the business owner of each device, and then prioritize remediation efforts.

  • Identify and catalog all affected devices.
  • Verify network reachability and criticality.
  • Coordinate with vendor for firmware updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Siklu Etherhaul device?

Siklu Etherhaul 8010TX and 1200FX are networking products used for wireless backhaul. They provide high-capacity connectivity to bridge remote locations, acting as critical infrastructure or edge gateways in communication networks. These devices run specialized firmware to manage traffic and operations.

What does CWE-321 mean for CVE-2025-57174?

CWE-321 identifies the use of hardcoded cryptographic keys. In this vulnerability, the 'rfpiped' service relies on static AES keys embedded directly in the device software. Because these keys are identical across all units, they do not provide actual security; anyone who knows the key can encrypt malicious commands that the device will treat as legitimate and trusted.

How do attackers trigger this vulnerability?

An attacker triggers the flaw by sending specially crafted packets to TCP port 555. Because the encryption keys are hardcoded and known, the device accepts the attacker's forged traffic without requiring authentication. Note that simply having the device powered on is not enough; the attacker must be able to reach the management port over the network to deliver the malicious payload.

Why does Halo Surface Signal categorize this as external?

Halo Surface Signal identifies this as external because Etherhaul devices are typically positioned as edge or infrastructure gateways. Since these devices are often placed to bridge remote network locations, the management service listening on port 555 is frequently reachable via the internet or wide-area network, increasing the risk of remote unauthorized access.

What should I do if I manage Siklu hardware?

First, conduct an inventory to locate all Etherhaul devices in your environment. Confirm which units are network-reachable and assess their criticality to your operations. Once identified, consult the manufacturer for official firmware updates or guidance to mitigate the risks associated with the hardcoded keys in the 'rfpiped' service.

References