Siklu EtherHaul Series - Static Root Password

Published on 2 min read

Overview

During the early stages of the investigation of the Siklu EH-8010 it became apparent the devices were using the same static root password which was previously discovered on the Siklu TG series.

This password was previously obtained from the Siklu TG firmware which used a weak md5crypt cipher and was brute forced using existing rulesets.

Due the sensitivity of this password, neither the hashed or complete clear text password will be provided here.

cat etc/shadow
root:$5$q9V...aC:3::::::
admin:$5$lENXgHGmWmhrHdZ0$k/g0R3qsrhl3uognq1PBaMLsUSMWxJxOVhldNHrRtw6:3:0:99999:9999:::

The above was extracted from the latest 10.8.1 firmware, and was also observed in the 10.6.2 firmware suggesting the password has remained the same for some time.

Impact

In the standard configuration the root user account can not directly be used as neither the web admin interface or SSH permit directly logging in as root.

Access to the root account is normally restricted to UART (physical access required) or via the debug login cli command when logged in as an admin user.

After successfully executing debug login a root shell will be created, as well as the creation of the /tmp/.rastamp file which enable directly logging in as root via SSH.

If a threat actor obtained the admin credentials this root account could enable persistence and be difficult to detect, alternatively if the threat actor could utilise another vulnerability to create the /tmp/.rastamp file they would have direct access to the root account.

Affected Products

Confirmed Vulnerable

  • Product: Ceragon/Siklu EtherHaul Series devices (Tested on 8010 and 1200)
  • Versions: 10.6.2, 10.7.3 (tested)
  • Likely Affected: All EtherHaul series devices running firmware 7.4.0 or later

Patch Status

No patch available at the time of this post.

Vendor Response

When asked for an estimated patch timeline, the vendor stated:

Although we cannot estimate an ETA at this stage, the topic is already under review as part of our continuous improvement approach, and steps toward enhancing it are being considered.

References

Disclaimer: This disclosure is provided for educational and defensive purposes. The author is not responsible for any misuse of this information.

research   security   siklu   etherhaul   investigation   CVE-2025-57175