CVE-2026-25715

Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements

CVSS 9.8 CRITICALEPSS 0.6%CWE-521

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Jinan USR IOT Technology Limited (PUSR) · USR-W610

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03