---
title: "Critical Flaws in PUSR USR-W610 IoT Devices Expose Networks to Attacks"
short_title: "Critical vulnerabilities in PUSR USR-W610 IoT devices"
description: "Four critical vulnerabilities in PUSR USR-W610 IoT devices enable attackers to disable authentication, steal credentials, and cause denial-of-service. Learn how to mitigate risks."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [iot, vulnerabilities, cve-2026, cybersecurity, denial-of-service]
score: 0.85
cve_ids: [CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048]
---
TL;DR
Four critical vulnerabilities in Jinan USR IOT Technology Limited (PUSR) USR-W610 IoT devices allow attackers to disable authentication, steal credentials, and cause denial-of-service (DoS) conditions. These flaws affect devices running versions ≤3.1.1.0 and pose severe risks to critical manufacturing sectors worldwide. The vendor has declared the product end-of-life, leaving users with no official patches.
---
Main Content
Introduction
IoT devices are increasingly targeted by cybercriminals due to their widespread use and often inadequate security measures. The PUSR USR-W610, a popular IoT device deployed globally, has been found to contain four critical vulnerabilities that could expose networks to unauthorized access, credential theft, and disruptive attacks. These flaws, identified by researchers at Payatu Security Consulting, highlight the urgent need for organizations to reassess their IoT security strategies.
---
Key Points
- Four critical vulnerabilities affect PUSR USR-W610 devices running versions ≤3.1.1.0.
- Exploitation could lead to disabled authentication, credential theft, and denial-of-service (DoS) attacks.
- The vendor has declared the product end-of-life, meaning no official patches will be released.
- Affected sectors include critical manufacturing, with devices deployed worldwide.
- Organizations are urged to minimize network exposure and implement defensive measures immediately.
---
Technical Details
#### Vulnerabilities Overview
The PUSR USR-W610 devices are affected by the following vulnerabilities:
| CVE ID | Severity | Description | CVSS Score |
|--------------------|--------------|-----------------------------------------------------------------------------------------------------|----------------|
| CVE-2026-25715 | Critical | Allows blank administrator credentials, disabling authentication for web and Telnet access. | 9.8 |
| CVE-2026-24455 | High | Uses HTTP Basic Authentication without encryption, exposing credentials to interception. | 7.5 |
| CVE-2026-26049 | Medium | Displays passwords in plaintext in the web interface, risking unauthorized observation. | 5.7 |
| CVE-2026-26048 | High | Lacks Management Frame Protection, enabling de-authentication attacks and DoS conditions. | 7.5 |
---
#### CVE-2026-25715: Weak Password Requirements
The web management interface of the USR-W610 allows administrators to set blank usernames and passwords. Once applied, the device accepts empty credentials for authentication via the web interface and Telnet service. This flaw effectively disables authentication, granting full administrative control to any network-adjacent attacker without requiring credentials.
---
#### CVE-2026-24455: Cleartext Transmission of Sensitive Information
The device’s web interface lacks HTTPS/TLS support and relies on HTTP Basic Authentication. While traffic is encoded, it is not encrypted, exposing user credentials to passive interception by attackers on the same network.
---
#### CVE-2026-26049: Insufficiently Protected Credentials
The web management interface displays passwords in plaintext within input fields. This exposes administrator credentials to shoulder surfing, screenshots, or browser form caching, increasing the risk of unauthorized access.
---
#### CVE-2026-26048: Missing Authentication for Critical Function
The USR-W610 Wi-Fi router lacks Management Frame Protection (MFP), allowing attackers to send forged deauthentication and disassociation frames without authentication or encryption. This can be exploited to disrupt connectivity and cause a denial-of-service (DoS) condition.
---
Impact Assessment
The vulnerabilities in the PUSR USR-W610 pose severe risks to organizations, particularly those in critical manufacturing sectors. Successful exploitation could result in:
- Unauthorized administrative access to IoT devices.
- Theft of valid user credentials, including administrator passwords.
- Denial-of-service (DoS) attacks, disrupting operations.
- Lateral movement within networks, leading to broader compromises.
Given that the vendor has declared the product end-of-life, organizations must act swiftly to mitigate risks and prevent potential breaches.
---
Mitigation Steps
CISA recommends the following defensive measures to minimize the risk of exploitation:
1. Minimize Network Exposure
- Ensure control system devices and IoT systems are not accessible from the internet.
- Isolate IoT devices behind firewalls and segment them from business networks.
2. Use Secure Remote Access Methods
- When remote access is required, use Virtual Private Networks (VPNs).
- Keep VPNs updated to the latest version and ensure connected devices are secure.
3. Implement Network Monitoring
- Deploy intrusion detection systems (IDS) to monitor for suspicious activity.
- Regularly audit network traffic for signs of exploitation.
4. Replace End-of-Life Devices
- Consider replacing PUSR USR-W610 devices with supported alternatives that receive security updates.
5. Follow Best Practices for IoT Security
- Refer to CISA’s [ICS Cybersecurity Best Practices](https://www.cisa.gov/ics) for guidance on securing industrial control systems.
- Implement a defense-in-depth strategy to protect critical assets.
---
Affected Systems
- Product: Jinan USR IOT Technology Limited (PUSR) USR-W610
- Affected Versions: ≤3.1.1.0
- Critical Infrastructure Sectors: Critical Manufacturing
- Deployment: Worldwide
- Vendor Headquarters: China
---
Conclusion
The discovery of four critical vulnerabilities in the PUSR USR-W610 IoT devices underscores the urgent need for organizations to prioritize IoT security. With the vendor declaring the product end-of-life, users must take proactive steps to mitigate risks, including isolating devices, implementing secure remote access, and monitoring network traffic.
As IoT devices continue to proliferate across industries, the importance of robust security measures cannot be overstated. Organizations must remain vigilant and adopt best practices to safeguard their networks from emerging threats.
---
References
[^1]: CISA. "[ICSA-26-050-03: Jinan USR IOT Technology Limited (PUSR) USR-W610](https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03)". Retrieved 2024-10-02.
[^2]: Payatu Security Consulting. "Vulnerability Research on PUSR USR-W610 Devices". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-521: Weak Password Requirements](https://cwe.mitre.org/data/definitions/521.html)". Retrieved 2024-10-02.
[^4]: MITRE. "[CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)". Retrieved 2024-10-02.