cbcvebase.
CVE-2025-57174
published 2025-09-15

CVE-2025-57174: An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.22%
64.9th percentile
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.

Detection & IOCsextracted from sources · hover to see the quote

port555/TCP
commandShodan Dork: "EH-8010" or "EH-1200"
  • Monitor for inbound TCP connections to port 555 on Siklu EtherHaul devices; any connection to this port from an untrusted source should be treated as suspicious, as the rfpiped service accepts unauthenticated encrypted commands using hardcoded AES keys identical across all devices.
  • Exploit traffic to TCP/555 begins with a 0x90-byte (144-byte) AES-CBC encrypted header, followed by an optional padded payload. Detection rules should flag TCP streams to port 555 where the first observed data block is exactly 144 bytes.
  • The exploit sets header byte[0] (flag) to 0x00 and byte[1] (msg) to 0x01 for command execution requests. Network inspection of decrypted rfpiped traffic should alert on msg=0x01 packets.
  • The exploit uses AES-CBC mode with a static IV (IV0) derived from struct.pack for the initial send IV. If the static key and IV are recovered from firmware, network-level decryption of port 555 traffic can reveal plaintext commands for alerting.
  • Shodan exposure: devices advertising 'EH-8010' or 'EH-1200' banners are likely vulnerable. Threat hunting should identify internet-facing Siklu EtherHaul devices using these Shodan dorks.
  • This is a failed patch for CVE-2017-7318; devices running firmware 7.4.0 through 10.7.3 remain vulnerable. Inventory checks should flag any Siklu EtherHaul device in this firmware range.
  • ·The static AES key and IV are hardcoded in the rfpiped binary and are identical across ALL affected devices (EH-8010TX, EH-1200FX, and potentially other EtherHaul series). Any attacker with knowledge of these values can craft valid encrypted packets without device-specific credentials.
  • ·The vulnerability may affect additional EtherHaul series devices beyond the explicitly named models, due to shared firmware across the product line.
  • ·The exploit payload uses CBC chaining where the send IV is updated to the last 16 bytes of each ciphertext block, and the recv IV is similarly updated. Detection/decryption tooling must implement stateful IV tracking per session.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.