Cradlepoint IBR600

Plan Patch7.1ICS-CERT ICSA-22-321-02Nov 17, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A command injection vulnerability (CWE-77) exists in Cradlepoint IBR600 NetCloud OS (NCOS) version 6.5.0.160bc2e and prior that allows an attacker with local access to execute arbitrary native system commands and code on the router. The IBR600 is commonly deployed as an edge router for secure remote management of industrial control devices.

What this means

What could happen

An attacker with local access to an IBR600 router could execute arbitrary commands on the device, potentially allowing them to modify network traffic, alter routing decisions, or disrupt internet connectivity for critical control systems.

Who's at risk

Water utilities and electric distribution operators relying on Cradlepoint IBR600 routers for remote access, remote terminal units (RTUs), or SCADA communications are affected. This impacts any organization using the IBR600 as an edge router for critical control network connectivity, particularly in remote substations or pump stations.

How it could be exploited

An attacker with local access (or with physical access to the device) can exploit an improper command injection flaw to execute arbitrary system commands. The attack requires local or physical presence and valid credentials or local execution context.

Prerequisites

Local access to the IBR600 device or physical access to the router
Low-privilege user account or ability to execute commands in a local context
No remote exploitation vector—attacker must be on the device or network segment with local access

Low attack complexityRequires local access (reduces remote risk)No patch available for NCOS versions 6.5.0.160bc2e and priorAffects network edge routers (potential points of control system access)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

IBR600 - Cradlepoint IBR600 NetCloud OS (NCOS) Version: 6.5.0.160bc2e and prior≤ 6.5.0.160bc2e7.22.70

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local and physical access to IBR600 routers through locked enclosures, secure server rooms, and access control lists

HARDENINGDisable local management access and shell access if not required for operations; configure remote management through NetCloud Manager only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IBR600 NetCloud OS (NCOS) to version 7.22.70 or later via NetCloud Manager

Long-term hardening

0/1

HARDENINGMonitor IBR600 logs for unusual command execution or local login attempts

CVEs (1)

CVE-2022-3086

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a2ea9db-79a0-4f60-9378-859b94f04f87