A critical vulnerability in Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter firmware exposes plaintext administrative credentials embedded directly in the firmware image. The vulnerability, published on 2026-05-29, carries a CVSS 3.1 score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-accessible exploitation without authenticat [truncated]
MEDIUMJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-26049 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices up to version 3.1.1.0. According to CISA’s advisory, the web management interface renders the password in a plaintext input field, which can expose administrator credentials to anyone who can view the UI directly or indirectly. CISA published the advisory on 2026-02-19 with a Medium CVSS 3.1 score of 5.7. The vendor statement [truncated]
HIGHJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-26048 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices. CISA says the router lacks Management Frame Protection, which allows forged deauthentication and disassociation frames to be sent without authentication or encryption, creating a denial-of-service risk. The advisory also states the product is end-of-life and no patch is planned.
CRITICALJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-25715 affects Jinan USR IOT Technology Limited (PUSR) USR-W610 devices at version 3.1.1.0 and earlier. CISA says the web management interface can be configured with blank administrator credentials; once applied, the device accepts empty credentials over both the web interface and Telnet, effectively removing authentication from critical management channels. Because PUSR has stated the product is [truncated]
HIGHJinan USR IOT Technology Limited (PUSR)CVE published 2026-02-19
CVE-2026-24455 is an authentication exposure in the USR-W610 embedded web interface. Because the device does not support HTTPS/TLS for login and uses HTTP Basic Authentication, credentials may be passively intercepted by an attacker on the same network. The source advisory also states the product is end-of-life and that no patch is planned.