Jinan USR IOT Technology Limited (PUSR) USR-W610 | CISA

Keypoints

• Four critical CVEs affect Jinan USR IOT PUSR USR-W610 firmware versions
• CVE-2026-25715 allows administrator credentials to be set blank, effectively disabling authentication for web and Telnet access.
• CVE-2026-24455 uses HTTP Basic Auth without TLS, exposing credentials to passive interception.
• CVE-2026-26049 reveals passwords in plaintext UI fields and CVE-2026-26048 enables deauthentication DoS via missing Management Frame Protection.
• CISA advises network isolation, firewalling, updated VPNs, and ICS hardening; Payatu Security researchers reported the vulnerabilities.