Discover Cradlepoint near you

We have dedicated teams in regions the world over. We’re here to answer your questions and connect you with the perfect Wireless WAN solution for your unique business needs.

Asia-Pacific
North America
Latin America
Africa
Europe

For a full list of where our solutions are available, please visit our Availability Page.


Vulnerability Alerts

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We are committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.

Submit a Security Issue

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

April 14, 2022

SUMMARY: In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions — when using routing functionality — it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. NetCloud Manager utilizes Spring Cloud Function and was subsequently updated upon […]


CVE-2021-44228/CVE-2021-45046/CVE-2021-45105: Apache Log4j Security Vulnerabilities Update

December 20, 2021

SUMMARY: A critical vulnerability for Log4J was publicly disclosed on Dec. 10, 2021. The Cradlepoint incident response team investigated, identified and patched vulnerable versions of Log4J in its cloud services. NetCloud OS (NCOS) does not use java, thus, Cradlepoint devices are unaffected by the Log4J vulnerabilities.     Problem description: It was found that the […]


CVE-2021-37471: Denial of Console Availability Using Restricted Shell Escape Sequences

November 8, 2021

SUMMARY: An authenticated user on NetCloud OS (NCOS) versions before 7.21.80 can run restricted shell escape sequences that provide the authenticated user the capability to simultaneously deny availability to the device’s NetCloud Manager console, local console and SSH command-line. If your Cradlepoint device is configured for local administration and your NCOS credentials are default or […]


CPSEC-496: Cradlepoint Secure Threat Management (CPSTM) Vulnerable to Trend Micro Network Security Vulnerabilities

June 22, 2021

SUMMARY: Cradlepoint Secure Threat Management (CPSTM) leverages Trend Micro’s Deep Packet Inspection (DPI) solution and is affected by publicly disclosed privilege escalation vulnerabilities. In order to be exploitable, CPSTM would have to be enabled on the endpoint and a threat actor would have to have already authenticated as an administrator in NCOS, thus already granting […]


CPSEC-425 Vulnerability Alert

May 28, 2021

SUMMARY: Cradlepoint’s MC20BT, Bluetooth Low Energy 5.1 Module, was released January 2021 and is compatible with E3000 and E300 Enterprise Branch routers. The MC20BT is vulnerable to CVE-2020-26558 (patched in NCOS version 7.21.40) and VU#799380.5 (patched in NCOS version 7.21.20).     Public Disclosure: https://kb.cert.org/vuls/id/799380 Recommendations: If you are using the MC20BT with an Enterprise […]


CPSEC-486: Cradlepoint Wi-Fi Enabled Hardware Vulnerable to FragAttack (Wi-Fi Packet Fragmentation Vulnerabilities)

May 21, 2021

SUMMARY: Recent publicly released vulnerabilities found in the Wi-Fi protocol regarding how Wi-Fi handles fragmentation of packets, affect all Wi-Fi chipsets. Vendors have been releasing patches and Cradlepoint R&D is engaging our Wi-Fi chipset vendors for integrating patches into NCOS. Exploitation of these vulnerabilities requires a threat actor to be in range of a device’s […]


CPSEC-368: NetCloud OS (NCOS) Vulnerable to DNSpooq (DNSmasq)

January 19, 2021

SUMMARY: Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.     Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/ Affected Components: NCOS versions up to 7.21.20 Recommendations: Promptly test and upgrade to […]


CPSEC-284: Cradlepoint Unaffected by Ripple20 Vulnerabilities

June 30, 2020

Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities. Mitigation: No mitigation necessary.


CPSEC-278: Cradlepoint Not Vulnerable to CVE-2020-12695 (aka CallStranger)

June 17, 2020

Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity […]


CPSEC-49: Tech Support Mode Warning Bypass

August 6, 2019

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface. Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces. Identified: New York City Cyber Command (NYC3) IBR1700 assessment results. Impact: High: Enabling the “cproot” account in this way suppresses one of the […]


Loading Image

Loading more articles