Security Alerts

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We are committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.

Submit a Security Issue

Security Bulletin – 2023-001: Possibility to Replace Endpoint Operating System

October 9, 2023

This notice is a response to the publication “Rooting the Cradlepoint IBR600” that was published in October 2023. Cradlepoint is aware of the issue and has determined that only with sufficient physical access to the endpoint it is possible to replace the endpoint’s NetCloud OS software in this manner. In the event the software is replaced, it […]

CVE-2022-47522: WiFi Framing Frames Vulnerability

May 25, 2023

SUMMARY: Cradlepoint is aware of and has evaluated this issue. Cradlepoint is in the process of updating the kernel used in our router firmware. This is currently targeted for Q4 which will address this vulnerability. Patches for old kernels not available at this time. Cradlepoint has assessed this vulnerability as a Low due to the […]

CVE-2022-3086: Cradlepoint NCOS Command Injection

November 18, 2022

SUMMARY: An authenticated local user on NetCloud OS (NCOS) versions before 7.22.70 can run a restricted shell escape sequence utilizing an OpenVPN Tunnel Feature that could allow local authenticated user the ability to execute code.     Public Disclosure:   Vulnerability Status: NetCloud Manager: Not Affected NetCloud OS: Affected, Patched July 2022 with release […]

Security Bulletin – 2022-001: Activity Log Secrets Non-Public Information

November 3, 2022

Cradlepoint became aware of the potential for information not intended to be included in activity logs or to have been written to the logs on Cradlepoint routers running NCOS (NETCLOUD OPERATING SYSTEM) 7.21.40. or newer operating systems prior to October 21, 2022. The issue stems from a change to the Cradlepoint NCOS configuration released on […]

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

April 14, 2022

SUMMARY: In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions — when using routing functionality — it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. NetCloud Manager utilizes Spring Cloud Function and was subsequently updated upon […]

CVE-2021-44228/CVE-2021-45046/CVE-2021-45105: Apache Log4j Security Vulnerabilities Update

December 20, 2021

SUMMARY: A critical vulnerability for Log4J was publicly disclosed on Dec. 10, 2021. The Cradlepoint incident response team investigated, identified and patched vulnerable versions of Log4J in its cloud services. NetCloud OS (NCOS) does not use java, thus, Cradlepoint devices are unaffected by the Log4J vulnerabilities.     Problem description: It was found that the […]

CVE-2021-37471: Denial of Console Availability Using Restricted Shell Escape Sequences

November 8, 2021

SUMMARY: An authenticated user on NetCloud OS (NCOS) versions before 7.21.80 can run restricted shell escape sequences that provide the authenticated user the capability to simultaneously deny availability to the device’s NetCloud Manager console, local console and SSH command-line. If your Cradlepoint device is configured for local administration and your NCOS credentials are default or […]

CPSEC-496: Cradlepoint Secure Threat Management (CPSTM) Vulnerable to Trend Micro Network Security Vulnerabilities

June 22, 2021

SUMMARY: Cradlepoint Secure Threat Management (CPSTM) leverages Trend Micro’s Deep Packet Inspection (DPI) solution and is affected by publicly disclosed privilege escalation vulnerabilities. In order to be exploitable, CPSTM would have to be enabled on the endpoint and a threat actor would have to have already authenticated as an administrator in NCOS, thus already granting […]

CPSEC-425 Vulnerability Alert

May 28, 2021

SUMMARY: Cradlepoint’s MC20BT, Bluetooth® wireless technology Low Energy 5.1 Module, was released January 2021 and is compatible with E3000 and E300 Enterprise Branch routers. The MC20BT is vulnerable to CVE-2020-26558 (patched in NCOS version 7.21.40) and VU#799380.5 (patched in NCOS version 7.21.20).     Public Disclosure: Recommendations: If you are using the MC20BT with […]

CPSEC-486: Cradlepoint Wi-Fi Enabled Hardware Vulnerable to FragAttack (Wi-Fi Packet Fragmentation Vulnerabilities)

May 21, 2021

SUMMARY: Recent publicly released vulnerabilities found in the Wi-Fi protocol regarding how Wi-Fi handles fragmentation of packets, affect all Wi-Fi chipsets. Vendors have been releasing patches and Cradlepoint R&D is engaging our Wi-Fi chipset vendors for integrating patches into NCOS. Exploitation of these vulnerabilities requires a threat actor to be in range of a device’s […]

Loading Image

Loading more articles