cbcvebase.
CVE-2026-25715
published 2026-02-20

CVE-2026-25715: The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.8th percentile
The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Affected

1 ranges
VendorProductVersion rangeFixed in
jinan_usr_iot_technology_limitedusr-w610<= 3.1.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect authentication attempts to the USR-W610 web management interface using empty/blank username and password credentials (HTTP Basic Authentication with empty fields)
  • Monitor for Telnet login attempts with empty/blank credentials targeting USR-W610 devices (affected versions <= 3.1.1.0)
  • Detect HTTP Basic Authentication traffic (non-HTTPS) to USR-W610 management interfaces; credentials are base64-encoded but not encrypted and can be passively intercepted
  • ·The vulnerability is present in all USR-W610 firmware versions <= 3.1.1.0; the product is end-of-life with no planned patch, so all deployed devices remain permanently vulnerable
  • ·Authentication bypass is triggered by an administrator actively setting both username and password to blank values via the web management interface — the device must be misconfigured to be exploitable
  • ·No known public exploitation specifically targeting this vulnerability has been reported to CISA at time of advisory publication
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.