Critical USR-W610 IoT Flaws Expose Industrial Networks to Total Compromise

In the realm of Operational Technology (OT), the "set it and forget it" philosophy is a luxury attackers are eager to exploit. A recent CISA advisory underscores this risk, detailing a cluster of severe vulnerabilities in the Jinan USR IOT Technology Limited (PUSR) USR-W610 Wi-Fi router. Used frequently in Critical Manufacturing sectors worldwide, this device has flaws that could allow attackers to bypass authentication entirely, steal admin credentials in cleartext, or disrupt operations completely.

The most critical aspect of this advisory is not just the severity of the bugs—though they are dire—but the vendor’s response. PUSR has declared the USR-W610 End-of-Life (EOL) with no plans to release a patch. For organizations relying on this hardware, the playbook has shifted from "patch management" to "immediate isolation or remediation."

Vulnerability Deep Dive

The advisory identifies four distinct CVEs (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048) that, when combined, create a perfect storm for network adjacency attackers.

1. The "Blank Check" Authentication Bypass (CVE-2026-25715)

CVSS Score: 9.8 (CRITICAL)

This is the crown jewel of the vulnerability chain. The web management interface allows an administrator to set the username and password to literally nothing—blank values. Once applied, the device accepts these empty credentials for both the web interface and the Telnet service.

The Impact: Any attacker on the same network segment can gain full administrative control without needing to crack a hash or guess a password. They simply leave the password field empty, and the door swings open.

2. Cleartext Credential Transmission (CVE-2026-24455)

CVSS Score: 7.5 (HIGH)

Even if an administrator tries to secure the device by setting a strong password, the USR-W610 undermines them by transmitting these credentials over the network using HTTP Basic Authentication. There is no HTTPS/TLS encryption.

The Impact: An attacker passively sniffing the network can capture administrator credentials in transit, granting them legitimate access to the device and potentially pivoting to other systems.

3. Plaintext Password Exposure (CVE-2026-26049)

CVSS Score: 5.7 (MEDIUM)

Security-conscious admins often avoid typing passwords on untrusted screens, but this device renders the password in a plaintext input field within the UI. This makes the password visible to anyone looking at the screen (shoulder surfing) or via browser caching mechanisms.

4. Denial-of-Service via De-authentication (CVE-2026-26048)

CVSS Score: 7.5 (HIGH)

The router lacks Management Frame Protection (802.11w). This allows an attacker to forge deauthentication frames, kicking legitimate devices off the Wi-Fi network without needing to authenticate themselves.

The Impact: This can be used to disrupt connectivity for manufacturing equipment, causing downtime or loss of sensor data.

Detection and Threat Hunting

Since there is no patch coming, detection of active exploitation attempts—or the presence of these vulnerable behaviors—is critical. Below are queries and scripts to help your SOC identify if these devices are present on the network or if they are being targeted.

1. Hunt for Telnet and HTTP Access to USR Devices

The presence of Telnet (Port 23) or unencrypted HTTP (Port 80) traffic to known IoT subnets is a strong indicator of configuration drift or vulnerability. Use this KQL query for Microsoft Sentinel to identify potential USR-W610 activity.

let TimeRange = 1d;
DeviceNetworkEvents
| where Timestamp > ago(TimeRange)
// Target common management ports for USR-W610
| where RemotePort in (23, 80, 8080)
| extend DeviceName = coalesce(DeviceName, "Unknown")
// Filter for potential IoT device naming conventions or MAC OUIs if available
| where DeviceName contains "USR" or DeviceName contains "PUSR" 
     or DestinationMAC contains "00:04:A3" // Example OUI, verify vendor MAC prefix
| project Timestamp, DeviceName, SourceIP, DestinationIP, RemotePort, RemoteProtocol, InitiatingProcessFileName
| summarize count() by DeviceName, DestinationIP, RemotePort

2. Scan Network Segments for Vulnerable Services

You can use Nmap to scan your OT subnets for devices listening on Telnet or HTTP, which are the primary vectors for CVE-2026-24455 and CVE-2026-25715.

#!/bin/bash

# Define your OT/IoT subnet range
SUBNET="192.168.100.0/24"

# Output file
REPORT="usr_w610_scan_results.txt"

echo "Scanning $SUBNET for USR-W610 vulnerable services..." > $REPORT

echo "[+] Checking for Telnet (Port 23) - CVE-2026-25715 Vector" >> $REPORT
nmap -p 23 --open -oG - $SUBNET | grep "23/open" >> $REPORT

echo "\n[+] Checking for HTTP (Port 80) - CVE-2026-24455 Vector" >> $REPORT
nmap -p 80 --open -oG - $SUBNET | grep "80/open" >> $REPORT

echo "\nScan complete. Review $REPORT."

3. Detect De-authentication Floods (CVE-2026-26048)

If you have Zeek or similar network monitoring metadata, look for an unusually high rate of 802.11 de-auth frames.

# Use zeek-cut to analyze Zeek logs for de-authentication frames
zcat /path/to/conn.log.gz | zeek-cut -d ts id.orig_h id.resp_h service | grep -i "deauth" | awk '{print $1" "$2}' | sort | uniq -c | sort -rn | head -n 10

Mitigation Strategies

With the vendor refusing to patch, standard vulnerability management is off the table. Organizations must move to containment and architectural mitigation.

1. Network Isolation (VLAN Segmentation): Immediately move any USR-W610 devices into an isolated VLAN. They should not have direct internet access. Ensure they are behind a firewall that strictly limits traffic to only necessary management IPs.

2. Disable Telnet: If the device configuration allows, disable the Telnet service immediately. If CVE-2026-25715 is active, however, the attacker may be able to re-enable it if they gain web access. Therefore, network-level blocking of Port 23 is mandatory.

3. Device Replacement: Start the procurement process to replace these units with supported hardware that supports WPA3/Enterprise encryption and receives regular security updates.

4. VPN Enforcement: If remote management is absolutely required, ensure it is accessed exclusively through a hardened VPN solution. Never expose the management interface to the public internet, even behind a firewall.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub