Ceragon Siklu MultiHaul and EtherHaul Series

MonitorCVSS 5.3ICS-CERT ICSA-26-069-04Mar 10, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Ceragon Siklu MultiHaul and EtherHaul microwave radio products contain an arbitrary file upload vulnerability (CWE-434) that allows remote attackers without credentials to upload files to affected equipment. The vulnerability affects multiple models across the EtherHaul TX, FX series and MultiHaul CCC/CNN/CCS variants. CVSS v3.1 base score is 5.3 (moderate), exploitable over the network with no authentication or user interaction required.

What this means

What could happen

An attacker could upload arbitrary files to these microwave radio units, potentially allowing them to modify firmware, alter network traffic routing, or take control of the radio equipment used for backhaul or inter-site links. This could disrupt communications between distributed sites or enable traffic interception.

Who's at risk

Network operators and utilities using Ceragon Siklu microwave radio equipment for backhaul, inter-site links, or network redundancy. This includes wireless ISPs, cellular operators, and enterprises with distributed sites. Affected equipment includes EtherHaul TX models (500, 600, 700, 710, 1200), FX models (1200, 2200, 2500, 8010), and MultiHaul CCC/CNN/CCS models used for point-to-point or point-to-multipoint links.

How it could be exploited

An attacker on the network sends an HTTP or HTTPS file upload request to the management interface of the radio unit without providing credentials. If the unit runs a vulnerable firmware version, the upload is accepted and written to the device storage, allowing execution of arbitrary code on the radio itself.

Prerequisites

Network access to the management interface (port HTTP/HTTPS) of the affected radio unit
No valid credentials required

Remotely exploitableNo authentication requiredLow complexityAffects network infrastructureDefault or unrestricted management access

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (15)

15 with fix

ProductAffected VersionsFix Status

EtherHaul EH-600TX: <R7.7.12<R7.7.12R7.7.12

EtherHaul EH-1200TX: <R7.7.12<R7.7.12R7.7.12

EtherHaul EH-5500FD: <R7.7.12<R7.7.12R7.7.12

MultiHaul MH-B100-CCS: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T200-CCC: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T200-CNN: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T201-CNN: <R2.4.0<R2.4.0R2.4.0

EtherHaul EH-8010FX: <R10.8.1<R10.8.1R10.8.1

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGConfigure management interfaces to use private IP addresses only (RFC 1918 ranges like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

HARDENINGPlace all affected radio units behind a firewall or access control list (ACL) that restricts management interface access to authorized personnel and known administration subnets

HARDENINGVerify management IP addresses are not routable on the public Internet and are protected by internal security controls

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EtherHaul EH-600TX, EH-1200TX, EH-5500FD, EH-500TX, EH-614TX, EH-700TX, EH-710TX, EH-1200FX, EH-2200FX, and EH-2500FX to firmware version R7.7.12 or later

HOTFIXUpdate MultiHaul MH-B100-CCS, MH-T200-CCC, MH-T200-CNN, and MH-T201-CNN to firmware version R2.4.0 or later

HOTFIXUpdate EtherHaul EH-8010FX to firmware version R10.8.1 or later

CVEs (1)

CVE-2025-57176

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1d254dfa-841f-4b6e-b146-845d27f00b2a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.