Skip to main content

PUSR USR-W610 CVE-2026-7786

| EUVDEUVD-2026-33374 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-05-29 icscert GHSA-79x3-xvpv-235q
9.8
CVSS 3.1 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (icscert) · only source for this CVE.

CVSS VectorVendor: icscert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 17:50 vuln.today

DescriptionCVE.org

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services.

AnalysisAI

Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.

Technical ContextAI

The USR-W610 is a serial-to-network converter (RS232/RS485 to Wi-Fi/Ethernet) commonly used to bring legacy industrial equipment, PLCs, and metering devices onto IP networks in ICS/OT environments. The flaw maps to CWE-798 (Use of Hard-coded Credentials): administrative credentials are baked into the firmware image itself rather than provisioned per-device, so anyone who downloads the publicly distributed firmware and runs standard analysis tools (binwalk, strings, squashfs extraction) can recover the same username/password used by every deployed unit. Because these credentials authenticate against the device's management services, recovery yields a universal key that bypasses normal authentication for the entire installed base of vulnerable firmware revisions.

RemediationAI

No vendor-released patch version is identified in the input data, so consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02 and the corresponding CSAF JSON for the latest PUSR firmware guidance and confirmed fixed builds before deploying. Until a firmware update is verified, treat the device as compromised-by-design and apply compensating controls: place USR-W610 units strictly behind a segmented OT firewall with no inbound internet exposure, restrict management-plane access (web UI, Telnet, and any vendor configuration ports) to a dedicated jump host or engineering workstation via ACLs, and disable any wireless management interface where the wired path suffices since Wi-Fi broadens the attack surface to anyone in RF range. Monitor authentication events on the device and on upstream serial endpoints for anomalous configuration changes, and consider replacing internet-exposed units with models from a vendor with a vulnerability disclosure history if a patch is not forthcoming; the side effect of strict segmentation is the loss of remote configuration convenience, which is the correct trade-off for an ICS bridge device.

Share

CVE-2026-7786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy