Ericsson Enterprise Wireless

Security Alerts

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We are committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.

Submit a Security Issue

CPSEC-4: Weak Encryption of stored user passwords

October 20, 2018

Summary: The passwords for local user accounts, stored locally on the router, were not effectively encrypted. Mitigation: Involved changing admin and user passwords. Disable local and remote access to the router and restrict remote access to certain IP’s. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article


CPSEC-7: Cross Site Scripting Mitigation

October 19, 2018

Summary: Cradlepoint’s security auditor, Carve Systems, discovered two occasions where the router’s User Interface was susceptible to an external attack. Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. CVE – Various NIST/NVD Details


CPSEC-8: UPnP vulnerable to Denial of Service (DoS) attack

Summary: The version of Universal Plug and Play (UPnP) Cradlepoint used was vulnerable to a local DoS attack. Cradlepoint updated to a newer version. Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.


CPSEC-9: OpenSSL vulnerable to DROWN attack

Summary: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products and required a server to send a ServerVerify message before establishing the client possesses certain plaintext RSA data. This action makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka […]


CPSEC-10: WiFi Protected Access (WPA) & WPA2 Vulnerabilities “KRACK”

Summary: A WiFi vulnerability issue has been published that affects WPA and WPA2 authentication. This security vulnerability is in a WiFi security protocol (WPA/WPA2) which Cradlepoint and most, if not all, WiFi devices use. Cradlepoint, noted limited attack surfaces. Mitigation: Involved insuring that all routers are running firmware version 6.4.2 or newer. Knowledge Article


CPSEC-11: HTTP Proxy Content Filtering Vulnerability

Summary: When the HTTP Proxy Content Filtering is ENABLED in FW 5.3.0 – 5.3.3, a firewall rule is enabled that allows WAN access to the proxy. Mitigation: Involved upgrading firmware to a version newer than 5.3.3. Also, see the knowledge base article for adding a firewall rule. For more information or instructions on these mitigation steps, consult […]


CPSEC-12: CVE-2014-6271 & CVE-2014-7169 “Bash Bug”

Summary: Cradlepoint has addressed the critical security vulnerability known as “Bash bug” (CVE-2014-6271 & 7169). The Vulnerability Security Response team (VSR) noted that no Cradlepoint routers were affected. Mitigation: No mitigation or action required. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article CVE-2014-6271 NIST/NVD Detail CVE-2014-7169 […]


CPSEC-13: Open SSL “POODLE” Vulnerability

Summary: The OpenSSL project released an advisory on October 15th, 2014, which describes the newly discovered vulnerability (CVE-2014-3566). Some Cradlepoint products utilize OpenSSL and are affected by this advisory. Mitigation: Involved upgrading to firmware version 5.2.4 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article […]


CPSEC-14: Open SSL “Heartbleed” Vulnerability

Summary: This vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they have collected. Mitigation: Involved upgrading to firmware version 5.1.1 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article CVE-2014-0160 NIST/NDV Detail


CPSEC-15: Device population shares same SSL/TLS & SSH keys

Summary: Cradlepoint devices are provisioned with SSL/TLS certificates and SSH host keys that are shared across subsets of the Cradlepoint device population. This sharing enables an attacker to recover the private key material from a device or firmware image and use it against another Cradlepoint administrator to implement a man-in-the-middle attack. Mitigation: Involved upgrading to firmware version […]


Loading Image

Loading more articles