CVE-2026-25715 PUBLISHED

Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements

Assigner: icscert
Reserved: 10.02.2026 Published: 20.02.2026 Updated: 20.02.2026

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Jinan USR IOT Technology Limited (PUSR)
Product	USR-W610
Versions	Default: unaffected affected from 0 to 3.1.1.0 (incl.)

Workarounds

Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.

CVE-2026-25715 PUBLISHED

Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements

Metrics

Product Status

Workarounds

Credits

References

Problem Types