CVE-2026-25715

CRITICAL

Device Web Interface - Auth Bypass

Title source: llm

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

References (2)

[Various Sources] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json

View Writeup ZIP pw:eip

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-521

Status published

Products (1)

Jinan USR IOT Technology Limited (PUSR)/USR-W610 < 3.1.1.0

Published Feb 20, 2026

Tracked Since Feb 21, 2026