CVE-2026-26049

Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials

CVSS 5.7 MEDIUMEPSS 0.3%CWE-522

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form caching.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Affected products

Jinan USR IOT Technology Limited (PUSR) · USR-W610

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03