Summary
Successful exploitation of these vulnerabilities could result in authentication being disabled, a denial-of-service condition, or an attacker stealing valid user credentials, including administrator credentials.
The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 are affected:
- USR-W610 <=3.1.1.0 (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | Jinan USR IOT Technology Limited (PUSR) | Jinan USR IOT Technology Limited (PUSR) USR-W610 | Weak Password Requirements, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials, Missing Authentication for Critical Function |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: China
Vulnerabilities
CVE-2026-25715
The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.
Affected Products
Jinan USR IOT Technology Limited (PUSR) USR-W610
Jinan USR IOT Technology Limited (PUSR)
Jinan USR IOT Technology Limited (PUSR) USR-W610: <=3.1.1.0
known_affected
Remediations
Vendor fix
Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.
Relevant CWE: CWE-521 Weak Password Requirements
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.
Affected Products
Jinan USR IOT Technology Limited (PUSR) USR-W610
Jinan USR IOT Technology Limited (PUSR)
Jinan USR IOT Technology Limited (PUSR) USR-W610: <=3.1.1.0
known_affected
Remediations
Vendor fix
Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.
Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information
Metrics
Content was cut in order to protect the source.Please visit the source for the rest of the article.Read the original article: