CVE-2026-26049 Jinan USR IOT Technology Limited (PUSR) CVE debrief

Who should care

OT/ICS operators, site administrators, and security teams responsible for PUSR USR-W610 devices, especially where the web management interface is accessible to shared workstations, remote support personnel, or other users who could observe the screen or capture it.

Technical summary

The issue is a credential-disclosure problem in the device’s web management UI: the current password is shown in a plaintext input field instead of being masked. That creates a risk of unauthorized observation through shoulder surfing, screenshots, or browser/UI caching artifacts. The advisory maps the weakness to CWE-522 and lists a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, reflecting a confidentiality impact without direct integrity or availability effects. The supplied remediation notes also state the product is end-of-life and not planned for patching.

Defensive priority

Medium-high. The vulnerability does not provide code execution, but it can expose administrative credentials, which may enable follow-on access if those credentials are reused or remain valid. Priority increases in environments where the device is administered from shared, remote, or monitored workspaces and where no vendor fix is available.

Recommended defensive actions

• Inventory any PUSR USR-W610 devices and confirm whether they are at or below version 3.1.1.0.
• Restrict access to the web management interface to trusted administrative networks and authorized users only.
• Use administrative workstations and viewing conditions that reduce the chance of screen observation or screen capture.
• Treat exposed passwords as potentially compromised and rotate affected credentials according to local policy.
• Review whether any credentials used on the device are reused elsewhere and replace them if necessary.
• Because the vendor states the product is end-of-life, plan for compensating controls and eventual replacement rather than expecting a patch.
• Apply ICS defense-in-depth and recommended practices from CISA to limit the blast radius of management-plane exposure.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory data for ICSA-26-050-03 / CVE-2026-26049. The advisory states that the web management interface renders passwords in a plaintext input field and explicitly cites exposure via shoulder surfing, screenshots, or browser form caching. The remediation section says PUSR stated the product is end-of-life and there are no plans to patch. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, and the SSVC note indicates Exploitation: None and Automatable: None as provided in the source corpus. Vendor/product naming confidence in the prompt is low, so the product identification should be treated as advisory-sourced rather than independently validated here.

Official resources