PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7786 Jinan USR IOT Technology Limited (PUSR) CVE debrief

A critical vulnerability in Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter firmware exposes plaintext administrative credentials embedded directly in the firmware image. The vulnerability, published on 2026-05-29, carries a CVSS 3.1 score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-accessible exploitation without authentication requirements leading to full confidentiality, integrity, and availability compromise. The root cause is classified under CWE-798 (Use of Hard-coded Credentials). Attackers with firmware access can extract these credentials and authenticate to device services, effectively bypassing security controls. The USR-W610 is an industrial IoT device commonly deployed in operational technology environments for serial-to-network conversion, making this vulnerability particularly concerning for critical infrastructure applications where these devices bridge legacy serial systems with modern networks.

Vendor
Jinan USR IOT Technology Limited (PUSR)
Product
USR-W610 RS232/485 to Wi-Fi/Ethernet Converter
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Operational technology security teams managing industrial serial-to-Ethernet converters; critical infrastructure operators using USR-W610 devices for SCADA or industrial control system connectivity; network administrators responsible for IoT device security; procurement teams evaluating industrial IoT vendor security practices; incident response teams monitoring for credential-based compromises in OT environments

Technical summary

The USR-W610 firmware contains unencrypted administrative credentials stored within the firmware binary. These credentials are not hashed or encrypted, allowing extraction through static analysis of firmware images obtained via device firmware dumps, vendor downloads, or physical access. Once extracted, credentials enable authentication to device administrative interfaces. The vulnerability is exploitable remotely if administrative services are exposed to networks, with no authentication prerequisites. The CVSS attack vector (AV:N) indicates network exploitability, though initial credential extraction requires firmware access. Post-extraction, attackers gain privileged device access with impacts across confidentiality, integrity, and availability dimensions.

Defensive priority

Critical

Recommended defensive actions

  • Inventory all deployed Jinan USR IOT Technology Limited USR-W610 devices within your network environment
  • Extract and analyze current firmware images to identify embedded credential strings using standard firmware analysis tools
  • Change default administrative credentials on all identified devices; verify no hardcoded credentials remain effective after configuration changes
  • Implement network segmentation to isolate USR-W610 devices from untrusted networks and critical operational systems
  • Monitor for unauthorized authentication attempts to device management interfaces
  • Contact vendor for patched firmware versions that eliminate hardcoded credential vulnerabilities
  • Consider replacement of affected devices if vendor patches are unavailable or delayed
  • Review and update procurement policies to prohibit devices with embedded plaintext credentials

Evidence notes

CVE description confirms plaintext credential embedding in firmware. CVSS 9.8 score reflects unauthenticated network exploitation potential. CISA ICS-CERT advisory (ICSA-26-148-02) provides official government attribution. CWE-798 classification from [email protected] source. No KEV listing indicates absence of confirmed active exploitation at disclosure time.

Official resources

2026-05-29