CVE-2025-57174
Published: 15 September 2025
Summary
CVE-2025-57174 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Ceragon (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires proper establishment and management of cryptographic keys, directly preventing the use of static, hardcoded AES keys that enable attackers to craft exploitable packets.
Mandates identification, reporting, and remediation of flaws like hardcoded keys in firmware, ensuring timely patching to eliminate the RCE vulnerability.
Enforces boundary protection mechanisms such as firewalls to block unauthorized network access to TCP port 555, preventing remote exploitation of the vulnerable rfpiped service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote arbitrary command execution via exposed network service (rfpiped on TCP 555) using known static keys directly matches exploitation of a public-facing application.
NVD Description
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These…
more
keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.
Deeper analysisAI
CVE-2025-57174 affects Siklu Communications Etherhaul 8010TX and 1200FX devices running firmware versions 7.4.0 through 10.7.3, and possibly other previous versions. The vulnerability resides in the rfpiped service listening on TCP port 555, which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, enabling attackers to craft encrypted packets for executing arbitrary commands without authentication. This issue is a failed patch for CVE-2017-7318 and may impact other Etherhaul series devices with shared firmware. It is classified under CWE-321 (Use of Hard-coded Cryptographic Key) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any remote attacker with network access to TCP port 555 on an affected device can exploit this vulnerability without requiring authentication or privileges. By leveraging the publicly known static keys, attackers can construct and transmit encrypted packets that trigger arbitrary command execution on the device, achieving full remote code execution (RCE) and potentially compromising confidentiality, integrity, and availability.
Vendor advisories and further details are available at ceragon.com and etherhaul.com, with an independent security analysis published at https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/.
Details
- CWE(s)