CVE-2026-26048 Jinan USR IOT Technology Limited (PUSR) CVE debrief

Who should care

Organizations operating PUSR USR-W610 devices, especially teams responsible for wireless availability, OT/ICS networking, and replacing end-of-life equipment.

Technical summary

According to CISA’s CSAF advisory ICSA-26-050-03, the affected USR-W610 devices are missing Management Frame Protection. That weakness allows forged wireless deauthentication and disassociation frames to be accepted or acted on without authentication or encryption, which can disrupt connectivity and cause denial of service. The advisory identifies affected versions as <=3.1.1.0 and notes the product is end-of-life with no vendor patch planned.

Defensive priority

High

Recommended defensive actions

• Inventory all PUSR USR-W610 devices and confirm whether any are running version 3.1.1.0 or earlier.
• Treat affected devices as end-of-life risk and plan replacement or retirement, since the advisory states no patch is planned.
• Reduce wireless exposure where possible and segment affected devices from unnecessary network access.
• Monitor for unusual deauthentication, disassociation, or repeated wireless disconnect events.
• Contact PUSR using the advisory’s listed support channel for lifecycle and replacement guidance.
• Follow CISA ICS recommended practices for defense-in-depth and availability protection.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory ICSA-26-050-03 and the official links listed with it. The advisory explicitly states that the USR-W610 is vulnerable because Management Frame Protection is absent, allowing forged deauthentication and disassociation frames without authentication or encryption, and that the product is end-of-life with no patch planned. Published and modified dates used here are the CVE/advisory dates supplied in the corpus.

Official resources