Cyber Resilience

CVE-2025-57174

Critical

Published: 15 September 2025

Published
15 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0169 82.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57174 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Ceragon (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-57174 affects Siklu Communications Etherhaul 8010TX and 1200FX devices running firmware versions 7.4.0 through 10.7.3, and possibly earlier releases or other Etherhaul series models that share the same firmware. The flaw resides in the rfpiped service listening on TCP port 555, which relies on static AES encryption keys that are hardcoded in the binary and identical across all devices. This constitutes a failed remediation of the earlier CVE-2017-7318 and is tracked under CWE-321 for use of hard-coded cryptographic keys.

An unauthenticated attacker with network access can exploit the weakness by crafting specially encrypted packets that the service will accept and execute as arbitrary commands, resulting in full control over the affected device. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting that no authentication, user interaction, or special conditions are required for remote code execution.

Vendor sites for Ceragon and Etherhaul are referenced alongside public disclosure reporting the issue, though no specific patch or mitigation guidance is detailed in the available references. The associated EPSS scores remain low, with a current value of 0.0169 and a peak of 0.0204.

EU & UK References

Vulnerability details

An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These…

more

keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote arbitrary command execution via exposed network service (rfpiped on TCP 555) using known static keys directly matches exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15016Shared CWE-321
CVE-2026-26335Shared CWE-321
CVE-2025-62581Shared CWE-321
CVE-2026-22586Shared CWE-321
CVE-2025-11899Shared CWE-321
CVE-2025-27674Shared CWE-321
CVE-2025-34215Shared CWE-321
CVE-2026-6580Shared CWE-321
CVE-2026-25505Shared CWE-321
CVE-2026-25894Shared CWE-321

Affected Assets

Ceragon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires proper establishment and management of cryptographic keys, directly preventing the use of static, hardcoded AES keys that enable attackers to craft exploitable packets.

prevent

Mandates identification, reporting, and remediation of flaws like hardcoded keys in firmware, ensuring timely patching to eliminate the RCE vulnerability.

prevent

Enforces boundary protection mechanisms such as firewalls to block unauthorized network access to TCP port 555, preventing remote exploitation of the vulnerable rfpiped service.

References