Jinan USR IOT Technology Limited (PUSR) USR-W610

Act Now9.8ICS-CERT ICSA-26-050-03Feb 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The PUSR USR-W610 wireless IoT gateway contains multiple critical vulnerabilities related to weak credential storage (CWE-521), unencrypted transmission of sensitive data (CWE-319), insufficient credential protection (CWE-522), and missing authentication mechanisms (CWE-306). These allow an unauthenticated attacker with network access to disable authentication, perform denial-of-service attacks, or steal administrator credentials. The product is end-of-life with no vendor patches planned.

What this means

What could happen

An attacker could disable authentication on the device, causing a denial-of-service condition, or steal administrator credentials to gain full control of the USR-W610 gateway and alter network traffic or configuration.

Who's at risk

Water authorities and electric utilities that use the PUSR USR-W610 wireless IoT gateway for remote device communication and management are affected. This device is commonly deployed in SCADA and remote telemetry applications to connect field equipment to central management systems.

How it could be exploited

An attacker with network access to the USR-W610 device can exploit authentication and cryptographic weaknesses to disable authentication mechanisms, extract credentials from memory or storage, or trigger a denial-of-service condition without needing valid credentials or special network position.

Prerequisites

Network access to the USR-W610 device on the port it is listening on (typically HTTP/HTTPS)
No valid credentials required for initial exploitation

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)Critical CVSS score (9.8)Multiple cryptographic and authentication weaknessesNo vendor support or updates planned

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

USR-W610: <=3.1.1.0≤ 3.1.1.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGContact Jinan USR IOT Technology Limited (PUSR) to discuss migration options and support, as the USR-W610 is end-of-life and will not receive security updates

WORKAROUNDImplement network segmentation to restrict access to the USR-W610 to trusted administrative networks only; apply firewall rules to block unauthorized inbound connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor network traffic to and from the USR-W610 for signs of exploitation or credential theft

Mitigations - no patch available

0/1

USR-W610: <=3.1.1.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlan and execute replacement or retirement of USR-W610 devices with supported, actively maintained alternatives

CVEs (4)

CVE-2026-25715 CVE-2026-24455 CVE-2026-26049 CVE-2026-26048

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca489ee5-5490-44b0-aeb0-16858302d8a8