CVE-2026-24455
published 2026-02-20CVE-2026-24455: The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.24%
15.2th percentile
The embedded web interface of the device does not support HTTPS/TLS for
authentication and uses HTTP Basic Authentication. Traffic is encoded
but not encrypted, exposing user credentials to passive interception by
attackers on the same network.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jinan_usr_iot_technology_limited | usr-w610 | <= 3.1.1.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Jinan USR IOT Technology Limited (PUSR) USR-W610
cisa_ics·2026-02-19·CVSS 7.5
[HIGH] Jinan USR IOT Technology Limited (PUSR) USR-W610
ICS Advisory
##
Jinan USR IOT Technology Limited (PUSR) USR-W610
Release DateFebruary 19, 2026
Alert CodeICSA-26-050-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could result in authentication being disabled, a denial-of-service condition, or an attacker stealing valid user credentials, including administrator credentials.
The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 are affected:
- USR-W610 <=3.1.1.0 (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Jinan USR IOT Technology Limited (PUSR)
| Jinan USR IOT Technology Limited (PUSR) USR-W610
| Weak Pass
GHSA
GHSA-3fr7-jch8-4qjv: The embedded web interface of the device does not support HTTPS/TLS for
authentication and uses HTTP Basic Authentication
ghsa_unreviewed·2026-02-20
CVE-2026-24455 [HIGH] CWE-319 GHSA-3fr7-jch8-4qjv: The embedded web interface of the device does not support HTTPS/TLS for
authentication and uses HTTP Basic Authentication
The embedded web interface of the device does not support HTTPS/TLS for
authentication and uses HTTP Basic Authentication. Traffic is encoded
but not encrypted, exposing user credentials to passive interception by
attackers on the same network.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-20
Published