The Industry’s First 5G Enterprise Router for the Wireless WAN Era Learn More
Whether in the office or on the go, centrally manage your wireless WAN with point-and-click ease and an array of helpful dashboards.
Explore our learning portal for in-depth training and certifications regarding installation, management, and monitoring of Cradlepoint solutions.
Customers use our online community to chat with support experts, engage with other customers, and learn about Cradlepoint features.
Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We are committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.
SUMMARY: A critical vulnerability for Log4J was publicly disclosed on Dec. 10, 2021. The Cradlepoint incident response team investigated, identified and patched vulnerable versions of Log4J in its cloud services. NetCloud OS (NCOS) does not use java, thus, Cradlepoint devices are unaffected by the Log4J vulnerabilities. Problem description: It was found that the […]
SUMMARY: An authenticated user on NetCloud OS (NCOS) versions before 7.21.80 can run restricted shell escape sequences that provide the authenticated user the capability to simultaneously deny availability to the device’s NetCloud Manager console, local console and SSH command-line. If your Cradlepoint device is configured for local administration and your NCOS credentials are default or […]
SUMMARY: Cradlepoint Secure Threat Management (CPSTM) leverages Trend Micro’s Deep Packet Inspection (DPI) solution and is affected by publicly disclosed privilege escalation vulnerabilities. In order to be exploitable, CPSTM would have to be enabled on the endpoint and a threat actor would have to have already authenticated as an administrator in NCOS, thus already granting […]
SUMMARY: Cradlepoint’s MC20BT, Bluetooth Low Energy 5.1 Module, was released January 2021 and is compatible with E3000 and E300 Enterprise Branch routers. The MC20BT is vulnerable to CVE-2020-26558 (patched in NCOS version 7.21.40) and VU#799380.5 (patched in NCOS version 7.21.20). Public Disclosure: https://kb.cert.org/vuls/id/799380 Recommendations: If you are using the MC20BT with an Enterprise […]
SUMMARY: Recent publicly released vulnerabilities found in the Wi-Fi protocol regarding how Wi-Fi handles fragmentation of packets, affect all Wi-Fi chipsets. Vendors have been releasing patches and Cradlepoint R&D is engaging our Wi-Fi chipset vendors for integrating patches into NCOS. Exploitation of these vulnerabilities requires a threat actor to be in range of a device’s […]
SUMMARY: Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed. Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/ Affected Components: NCOS versions up to 7.21.20 Recommendations: Promptly test and upgrade to […]
Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities. Mitigation: No mitigation necessary.
Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity […]
Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface. Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces. Identified: New York City Cyber Command (NYC3) IBR1700 assessment results. Impact: High: Enabling the “cproot” account in this way suppresses one of the […]
Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations. Identified: Benjamin A. Fischer, Indiana Department of […]
