Jinan USR IOT Technology Limited (PUSR) USR-W610

Plan PatchCVSS 9.8ICS-CERT ICSA-26-050-03Feb 19, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The PUSR USR-W610 contains flaws in credential handling, encryption, and authentication mechanisms (CWE-521, CWE-319, CWE-522, CWE-306). Successful exploitation could allow an attacker to disable authentication, trigger denial-of-service, or steal valid user credentials including administrator accounts. The vendor has declared the product end-of-life and will not release patches. Version 3.1.1.0 and earlier are affected.

What this means

What could happen

An attacker can disable authentication, cause the device to stop responding, or steal administrator credentials for a PUSR USR-W610 device. This could allow unauthorized control of the device and its connected network or industrial systems.

Who's at risk

Organizations operating PUSR USR-W610 industrial IoT devices, including water utilities, power systems, and manufacturing operations that rely on this device for network connectivity or device management should assess their exposure. This affects any facility where the USR-W610 is deployed as a critical control point or data gateway.

How it could be exploited

An attacker with network access to the USR-W610 can exploit credential handling, encryption, or authentication flaws to disable login protections, extract user credentials, or trigger a denial-of-service condition, without requiring authentication or user interaction.

Prerequisites

Network access to the USR-W610 device
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)No patch available (end-of-life product)Affects credential protection and authentication systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

USR-W610: <=3.1.1.0≤ 3.1.1.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDContact Jinan USR IOT Technology Limited (PUSR) to understand end-of-life status and obtain any available security guidance or configuration hardening steps

HARDENINGRestrict network access to the USR-W610 to only authorized engineering and administrative staff using firewall rules and network segmentation

HARDENINGMonitor the USR-W610 for unusual network activity or authentication attempts; enable logging if available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the USR-W610 on a separate network segment if possible, limiting its communication to only required systems

Mitigations - no patch available

0/1

USR-W610: <=3.1.1.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlan replacement or decommissioning of the USR-W610 device, as the vendor will not release security patches

CVEs (4)

CVE-2026-25715 CVE-2026-24455 CVE-2026-26049 CVE-2026-26048

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca489ee5-5490-44b0-aeb0-16858302d8a8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.