Discover Cradlepoint near you

We have dedicated teams in regions the world over. We’re here to answer your questions and connect you with the perfect Wireless WAN solution for your unique business needs.

Asia-Pacific
North America
Latin America
Africa
Europe

For a full list of where our solutions are available, please visit our Availability Page.


Vulnerability Alerts

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We are committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.

Submit a Security Issue

CPSEC-496: Cradlepoint Secure Threat Management (CPSTM) Vulnerable to Trend Micro Network Security Vulnerabilities

June 22, 2021

SUMMARY: Cradlepoint Secure Threat Management (CPSTM) leverages Trend Micro’s Deep Packet Inspection (DPI) solution and is affected by publicly disclosed privilege escalation vulnerabilities. In order to be exploitable, CPSTM would have to be enabled on the endpoint and a threat actor would have to have already authenticated as an administrator in NCOS, thus already granting […]


CPSEC-425 Vulnerability Alert

May 28, 2021

SUMMARY: Cradlepoint’s MC20BT, Bluetooth Low Energy 5.1 Module, was released January 2021 and is compatible with E3000 and E300 Enterprise Branch routers. The MC20BT is vulnerable to CVE-2020-26558 (patched in NCOS version 7.21.40) and VU#799380.5 (patched in NCOS version 7.21.20).     Public Disclosure: https://kb.cert.org/vuls/id/799380 Recommendations: If you are using the MC20BT with an Enterprise […]


CPSEC-486: Cradlepoint Wi-Fi Enabled Hardware Vulnerable to FragAttack (Wi-Fi Packet Fragmentation Vulnerabilities)

May 21, 2021

SUMMARY: Recent publicly released vulnerabilities found in the Wi-Fi protocol regarding how Wi-Fi handles fragmentation of packets, affect all Wi-Fi chipsets. Vendors have been releasing patches and Cradlepoint R&D is engaging our Wi-Fi chipset vendors for integrating patches into NCOS. Exploitation of these vulnerabilities requires a threat actor to be in range of a device’s […]


CPSEC-368: NetCloud OS (NCOS) Vulnerable to DNSpooq (DNSmasq)

January 19, 2021

SUMMARY: Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.     Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/ Affected Components: NCOS versions up to 7.21.20 Recommendations: Promptly test and upgrade to […]


CPSEC-284: Cradlepoint Unaffected by Ripple20 Vulnerabilities

June 30, 2020

Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities. Mitigation: No mitigation necessary.


CPSEC-278: Cradlepoint Not Vulnerable to CVE-2020-12695 (aka CallStranger)

June 17, 2020

Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity […]


CPSEC-49: Tech Support Mode Warning Bypass

August 6, 2019

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface. Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces. Identified: New York City Cyber Command (NYC3) IBR1700 assessment results. Impact: High: Enabling the “cproot” account in this way suppresses one of the […]


CPSEC-20: NCM Account Automation assigns System Admin role to users on POD

January 18, 2019

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations. Identified: Benjamin A. Fischer, Indiana Department of […]


CPSEC-16: XSS Vulnerability on Cradlepoint Website

January 8, 2019

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane. Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation […]


CPSEC-18: Libssh Vulnerability

November 9, 2018

Summary: A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access. Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS – Although we […]


Loading Image

Loading more articles