CVE-2025-57176 Unknown Vendor CVE debrief

Who should care

OT, telecom, and network teams responsible for Ceragon Siklu MultiHaul or EtherHaul deployments, especially where management access may be reachable outside trusted internal networks.

Technical summary

The advisory describes a network-reachable service, rfpiped, on TCP 555 that allows unauthenticated uploads without path validation. Because file contents are transmitted in cleartext and only metadata is weakly encrypted, a remote actor who can reach the service may place files in writable locations on affected appliances. CISA's product list includes affected MultiHaul and EtherHaul models, with fixed versions identified in the remediation guidance.

Defensive priority

High for any deployment with reachable management services. The issue requires no authentication and is exposed over the network, so systems with broad or public reachability should be prioritized for patching and access restriction.

Recommended defensive actions

• Upgrade affected MultiHaul models to firmware R2.4.0.
• Upgrade affected EtherHaul EH-8010FX to firmware R10.8.1.
• Upgrade other affected EtherHaul models to firmware R7.7.12.
• Restrict management IP addresses to private subnets and keep management networks behind firewalls, ACLs, or secure management domains.
• Remove any public exposure of management interfaces and verify only approved administrative networks can reach TCP 555.
• Follow Ceragon's authentication and access-control guidance for all affected radio units.

Evidence notes

Evidence comes from the CISA CSAF advisory ICSA-26-069-04 published on 2026-03-10 and its embedded remediation notes. The source states that rfpiped on TCP 555 allows unauthenticated file uploads, that upload contents are sent in cleartext, and that no path validation is performed. The advisory also lists fixed firmware versions and recommends private, protected management networks. No KEV entry or ransomware linkage is present in the supplied corpus.

Official resources