Ceragon Siklu MultiHaul and EtherHaul Series

Monitor5.3ICS-CERT ICSA-26-069-04Mar 10, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Ceragon Siklu MultiHaul and EtherHaul radio relay units are affected by an arbitrary file upload vulnerability in their management interfaces. An attacker with network access to the management interface can upload arbitrary files without authentication, potentially compromising the device and network links it carries. The vulnerability affects multiple models across both product lines. Ceragon has released firmware updates to address the issue, but affected users should verify all units use private management IP addresses and are protected behind firewalls and access control lists. Management access should follow standard operator security guidelines and not be exposed publicly.

What this means

What could happen

An attacker could upload arbitrary files to affected radio relay units, potentially allowing them to alter network configurations, inject malicious firmware, or disable point-to-point links that carry traffic for utility operations.

Who's at risk

Ceragon Siklu MultiHaul and EtherHaul radio relay units used in utility point-to-point microwave links for SCADA, network backhaul, and critical infrastructure communications. Water authorities and electric utilities with long-distance network links between substations, water treatment plants, and pump stations are affected if they operate these radio models.

How it could be exploited

An attacker with network access to the management interface (typically port 80 or 443) can upload arbitrary files without authentication or valid credentials. The attacker could replace system files, configuration data, or firmware to compromise the device or the links it carries.

Prerequisites

Network access to the management interface of the radio unit
Management interface exposed to attacker's network segment or accessible from the internet

remotely exploitableno authentication requiredlow complexityno patch available for end-of-life models

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (15)

15 with fix

ProductAffected VersionsFix Status

EtherHaul EH-600TX: <R7.7.12<R7.7.12R7.7.12

EtherHaul EH-1200TX: <R7.7.12<R7.7.12R7.7.12

EtherHaul EH-5500FD: <R7.7.12<R7.7.12R7.7.12

MultiHaul MH-B100-CCS: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T200-CCC: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T200-CNN: <R2.4.0<R2.4.0R2.4.0

MultiHaul MH-T201-CNN: <R2.4.0<R2.4.0R2.4.0

EtherHaul EH-8010FX: <R10.8.1<R10.8.1R10.8.1

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGConfigure all radio units to use private RFC 1918 management IP addresses; do not expose management interfaces to public networks

HARDENINGPlace all radio units behind firewalls and implement access control lists to restrict management access to authorized administrative networks only

HARDENINGIf remote management access is required, use a VPN with current security patches; ensure the VPN is up to date with the latest available patches

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MultiHaul MH-B100-CCS, MH-T200-CCC, MH-T200-CNN, and MH-T201-CNN to firmware version R2.4.0 or later

HOTFIXUpdate EtherHaul EH-8010FX to firmware version R10.8.1 or later

HOTFIXUpdate EtherHaul EH-500TX, EH-600TX, EH-614TX, EH-700TX, EH-710TX, EH-1200TX, EH-1200FX, EH-2200FX, EH-2500FX, and EH-5500FD to firmware version R7.7.12 or later

CVEs (1)

CVE-2025-57176

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1d254dfa-841f-4b6e-b146-845d27f00b2a