CVE-2026-26049 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices up to version 3.1.1.0. According to CISA’s advisory, the web management interface renders the password in a plaintext input field, which can expose administrator credentials to anyone who can view the UI directly or indirectly. CISA published the advisory on 2026-02-19 with a Medium CVSS 3.1 score of 5.7. The vendor statement [truncated]
HIGHJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-26048 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices. CISA says the router lacks Management Frame Protection, which allows forged deauthentication and disassociation frames to be sent without authentication or encryption, creating a denial-of-service risk. The advisory also states the product is end-of-life and no patch is planned.
CRITICALJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-25715 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices at version 3.1.1.0 and earlier. CISA says the web management interface can be configured with blank administrator credentials; once applied, the device accepts empty credentials over both the web interface and Telnet, effectively removing authentication from critical management channels. Because PUSR has stated the product is [truncated]
HIGHJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-24455 is an authentication exposure in the USR-W610 embedded web interface. Because the device does not support HTTPS/TLS for login and uses HTTP Basic Authentication, credentials may be passively intercepted by an attacker on the same network. The source advisory also states the product is end-of-life and that no patch is planned.
