CVE-2026-25715
published 2026-02-20CVE-2026-25715: The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.8th percentile
The web management interface of the device allows the administrator
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over the web
management interface and Telnet service. This effectively disables
authentication across all critical management channels, allowing any
network-adjacent attacker to gain full administrative control without
credentials.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jinan_usr_iot_technology_limited | usr-w610 | <= 3.1.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication attempts to the USR-W610 web management interface using empty/blank username and password credentials (HTTP Basic Authentication with empty fields) ↗
- →Monitor for Telnet login attempts with empty/blank credentials targeting USR-W610 devices (affected versions <= 3.1.1.0) ↗
- →Detect HTTP Basic Authentication traffic (non-HTTPS) to USR-W610 management interfaces; credentials are base64-encoded but not encrypted and can be passively intercepted ↗
- ·The vulnerability is present in all USR-W610 firmware versions <= 3.1.1.0; the product is end-of-life with no planned patch, so all deployed devices remain permanently vulnerable ↗
- ·Authentication bypass is triggered by an administrator actively setting both username and password to blank values via the web management interface — the device must be misconfigured to be exploitable ↗
- ·No known public exploitation specifically targeting this vulnerability has been reported to CISA at time of advisory publication ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7689-4fm5-8xxm: The web management interface of the device allows the administrator
username and password to be set to blank values
ghsa_unreviewed·2026-02-20
CVE-2026-25715 [CRITICAL] CWE-521 GHSA-7689-4fm5-8xxm: The web management interface of the device allows the administrator
username and password to be set to blank values
The web management interface of the device allows the administrator
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over the web
management interface and Telnet service. This effectively disables
authentication across all critical management channels, allowing any
network-adjacent attacker to gain full administrative control without
credentials.
CISA ICS
Jinan USR IOT Technology Limited (PUSR) USR-W610
cisa_ics·2026-02-19·CVSS 7.5
[HIGH] Jinan USR IOT Technology Limited (PUSR) USR-W610
ICS Advisory
##
Jinan USR IOT Technology Limited (PUSR) USR-W610
Release DateFebruary 19, 2026
Alert CodeICSA-26-050-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could result in authentication being disabled, a denial-of-service condition, or an attacker stealing valid user credentials, including administrator credentials.
The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 are affected:
- USR-W610 <=3.1.1.0 (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Jinan USR IOT Technology Limited (PUSR)
| Jinan USR IOT Technology Limited (PUSR) USR-W610
| Weak Pass
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-20
Published