Critical Vulnerabilities Reported in PUSR USR-W610 Industrial IoT Devices
Take action: If you are using Jinan USR IOT Technology Limited USR-W610, make sure they are isolated from the internet and accessible only from trusted networks and make sure all of the devices have complex passwords. Since these industrial IoT devices are end-of-life, plan a replacement with new supported hardware.
Learn More
CISA and Jinan USR IOT Technology Limited (PUSR) report four security vulnerabilities affecting its USR-W610 serial-to-wireless converters.
Vulnerabilities summary:
- CVE-2026-25715 (CVSS score 9.8) - A weak password requirement vulnerability where the web management interface allows administrators to set blank usernames and passwords. By applying empty credentials, the device permits unauthenticated access via both the web UI and Telnet, allowing network-adjacent attackers to gain full administrative control.
- CVE-2026-24455 (CVSS score 7.5) - A cleartext transmission flaw caused by the lack of HTTPS/TLS support for management sessions. The device uses HTTP Basic Authentication, which only encodes credentials rather than encrypting them, letting attackers on the same network intercept and steal login data through passive sniffing.
- CVE-2026-26049 (CVSS score 5.7) - An insufficient credential protection issue where the web interface renders passwords in plaintext input fields. This flaw exposes sensitive administrator credentials to anyone with physical or remote view of the screen, including risks from shoulder surfing or browser form caching.
- CVE-2026-26048 (CVSS score 7.5) - A denial-of-service vulnerability stemming from the absence of Management Frame Protection (MFP). Attackers can broadcast forged de-authentication and disassociation frames to force wireless clients to disconnect, effectively disrupting industrial communications without needing to authenticate.
Successful exploitation allows attackers to disable authentication entirely, steal valid administrator credentials, or trigger persistent denial-of-service conditions.
Affected versions are all versions Jinan USR IOT Technology Limited (PUSR) USR-W610 up to and including 3.1.1.0
The manufacturer explicitly stated that there are no plans to patch these vulnerabilities due to the product's EOL status.
To mitigate these risks, CISA recommends immediate network isolation of all USR-W610 devices to ensure they are not accessible from the internet. Given the lack of future security updates, organizations should prioritize migrating to newer supported hardware.
