PatchSiren cyber security CVE debrief
CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) CVE debrief
CVE-2026-24455 is an authentication exposure in the USR-W610 embedded web interface. Because the device does not support HTTPS/TLS for login and uses HTTP Basic Authentication, credentials may be passively intercepted by an attacker on the same network. The source advisory also states the product is end-of-life and that no patch is planned.
- Vendor
- Jinan USR IOT Technology Limited (PUSR)
- Product
- USR-W610
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-19
- Original CVE updated
- 2026-02-19
- Advisory published
- 2026-02-19
- Advisory updated
- 2026-02-19
Who should care
OT/ICS operators, network administrators, system integrators, and anyone managing PUSR USR-W610 devices on shared or untrusted networks should treat this as urgent, especially where the web interface is reachable beyond a tightly controlled management segment.
Technical summary
The advisory states that the embedded web interface does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Although the traffic is encoded, it is not encrypted, so usernames and passwords can be exposed to passive interception by an adversary on the same network. The supplied source also indicates the product is end-of-life, which limits remediation to containment and replacement rather than patching.
Defensive priority
High. This is a network-reachable credential exposure affecting device administration, with a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and no vendor patch planned according to the source advisory.
Recommended defensive actions
- Restrict access to the device web interface to a dedicated management network or VPN, and block exposure from general user or flat networks.
- Immediately change any administrative credentials that may have been used over the affected interface, especially if access occurred on shared networks.
- Treat the interface as sensitive and avoid using it across untrusted or lightly segmented network paths until the device is isolated.
- Evaluate replacing the end-of-life USR-W610 with a supported product that provides encrypted management access.
- Review logging, network segmentation, and asset inventory so all affected devices are identified and their management paths are controlled.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-050-03, published 2026-02-19, which names Jinan USR IOT Technology Limited (PUSR) USR-W610 <=3.1.1.0 and states that the web interface lacks HTTPS/TLS for authentication while using HTTP Basic Authentication. The same source notes that traffic is encoded but not encrypted and that credentials may be passively intercepted on the same network. The source remediation text states the product is end-of-life and that there are no plans to patch. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, matching a confidentiality-focused network exposure.
Official resources
-
CVE-2026-24455 CVE record
CVE.org
-
CVE-2026-24455 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-26-050-03 was initially published on 2026-02-19 and is the source used here for timing and remediation context. The advisory and supplied record both indicate the affected product is end-of-life and that no patch is,