I like your products but this has been cooking inside my head for several weeks now. Have the route10 , controller , and switch. Ive those products been scanned with Rapid7 , Tenable, Qualys, Manage Engine or other vulnerability scanning tool? As far as I know , theres no DISA STIG or CIS baselines for openwrt. Atleast vulnerabilities against openwrt are reported in NIST NVD. I believe the controller is Ubuntu, so you can follow the errata for Ubuntu. If a vulnerability is found , is there Kali Linux/penetration testing to make sure there isn’t a remotely executable hole in an ALTA product? Is there company reporting about vulnerabilities against alta products? I guess this CVE vulnerabilities router10 and controller is a start , but is alta actively scanning for such vulnerabilities?
Alta has mentioned in a few of their livestreams that they monitor for vulnerabilities, but it’s unclear how deep that process goes or what tools they use.
That said, their devices are relatively well locked down. Most OpenWRT-based systems are, by design. But it’s worth noting that Alta’s platform is primarily cloud-managed, and even when accessed locally, you don’t have full control over the firmware. You’re limited to what Alta provides and when they choose to release updates. So in practice, patching and hardening are handled on their terms.
Automated scans on OpenWRT often produce a lot of false positives, since they typically rely on package version matching. Just because a library version is present doesn’t mean it’s exploitable in that environment.
If DISA STIGs or CIS benchmarks are a requirement in your environment, chances are you’re also working off an approved hardware/software list. In those cases, it’s usually vendors like Cisco, Palo Alto, or similar. Those manufacturers often publish their own configuration baselines, which mostly cover things like logging, least privilege, containerization/segregation, and FIPS 140-2 compliance.
In cases where a STIG/SRG isn’t available it’s usually required to use an indirect one and try to use it along with vendor documentation to implement as much of say the CISCO STIG to Alta in this instance. Even knowing most of it would be N/A. But again that is a stretch and only buys time.
I will post this here just in case one of the qualcomm chipset in the vulnerabilities list in this link matches the chipset for the route10. https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2025-bulletin.html
Obvious automobile OEM or cell phone manufacturers have alot more riding on their functionality that a the route10. Its not just DISA stigs or CIS configurations , but also spectre , mitre, ASLR , KALSR , (R)DMA, memory corruption issues like the ones the qualcomm GPU’s in June . From the link above , it looks like Google is doing alot of the security testing of the qualcomm products since qualcomm snapdragon cpu/chipsets end up in Android phones but the link also says the manufacturers should apply thier own patches … Hence this thread. more information will definitely help
The Route10 is running the IPQ9574 chipset, just for reference there
ubus call system board
{
"initramfs": true,
"kernel": "5.4.213",
"hostname": "HomeRouter",
"system": "ARMv8 Processor rev 0",
"model": "Qualcomm Technologies, Inc. IPQ9574/Alta-Route10",
"board_name": "qcom,ipq9574-alta-route10",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "1.4i",
"target": "ipq95xx/generic",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
}
I see the chipset mentioned in those security bulletins, although related to WLAN vulnerabilities and I think a vulnerability related to the firmware image format Android uses. The vulnerability CVE-2025-21464 seems like it could possibly be relevent but that’s a bit outside my wheelhouse! I’ll let someone from Alta Labs comment on this if there’s something more to add.