CVE-2026-25715
CRITICALUSR-W610 < 3.1.1.0 - Unauthenticated Administrative Access via Blank Credentials
Title source: llmDescription
The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.
References (2)
Core 2
Core References
Various Sources
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json
Third Party Advisory, US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03
Scores
CVSS v3
9.8
EPSS
0.0057
EPSS Percentile
42.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-521
Status
published
Products (1)
Jinan USR IOT Technology Limited (PUSR)/USR-W610
< 3.1.1.0
Published
Feb 20, 2026
Tracked Since
Feb 21, 2026