PatchSiren cyber security CVE debrief
CVE-2026-25715 Jinan USR IOT Technology Limited (PUSR) CVE debrief
CVE-2026-25715 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices at version 3.1.1.0 and earlier. CISA says the web management interface can be configured with blank administrator credentials; once applied, the device accepts empty credentials over both the web interface and Telnet, effectively removing authentication from critical management channels. Because PUSR has stated the product is end-of-life and no patch is planned, defenders should treat this as an immediate compensating-controls issue.
- Vendor
- Jinan USR IOT Technology Limited (PUSR)
- Product
- USR-W610
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-19
- Original CVE updated
- 2026-02-19
- Advisory published
- 2026-02-19
- Advisory updated
- 2026-02-19
Who should care
OT/ICS operators, plant engineers, network security teams, and asset owners responsible for PUSR USR-W610 deployments or any exposed web/Telnet management paths.
Technical summary
The issue is an authentication failure in device management: the product permits administrator username and password fields to be set to blank values, and those empty credentials are then accepted for access. The exposure affects web management and Telnet, so a network-adjacent attacker can reach administrative functions without valid credentials if the service is reachable. The advisory lists the product as end-of-life, which removes the option of a vendor patch and increases reliance on segmentation, service restriction, and replacement planning.
Defensive priority
Critical. This is a complete management-authentication failure on an end-of-life device, with no planned vendor fix and a high likelihood of administrative takeover if management services are reachable.
Recommended defensive actions
- Inventory all PUSR USR-W610 devices and confirm whether any are running version 3.1.1.0 or earlier.
- Restrict web management and Telnet to trusted administration networks only; block access from user, guest, and broader operational segments.
- Disable Telnet and any unnecessary remote management exposure where operationally possible.
- Verify that no device is configured with blank administrator credentials, and review management access paths for unintended reachability.
- Place affected devices behind compensating controls such as network segmentation, jump hosts, and strict allowlists.
- Plan replacement or migration for the end-of-life product, since the advisory states no patch is planned.
Evidence notes
The source corpus is a CISA CSAF advisory (ICSA-26-050-03) published on 2026-02-19, the same date as the CVE record and source item. The advisory text explicitly states that blank admin credentials are accepted over the web interface and Telnet, and that PUSR has said the product is end-of-life with no planned patch. The corpus also marks the vendor/product identity with low confidence and requests review, so product naming should be treated cautiously while the advisory itself remains authoritative.
Official resources
-
CVE-2026-25715 CVE record
CVE.org
-
CVE-2026-25715 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory and associated CVE record on 2026-02-19. The supplied corpus does not include an earlier vendor disclosure date or additional disclosure timeline beyond that publication.