CVE-2026-26048 - Vulnerability Details

- Jinan USR IOT Technology Limited (PUSR) USR-W610 Missing Authentication for Critical Function

Description

The Wi-Fi router is vulnerable to de-authentication attacks due to the
absence of management frame protection, allowing forged deauthentication
and disassociation frames to be broadcast without authentication or
encryption. An attacker can use this to cause unauthorized disruptions
and create a denial-of-service condition.

Published: 2026-02-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authentication requirement for management frame protection allows an attacker to forge deauthentication and disassociation frames. The vulnerability is a form of authentication bypass (CWE‑306). When these frames are broadcast, the Wi‑Fi router will disconnect authorized clients without verifying the source, leading to an interruption of service. The flaw can be exploited to permanently disrupt network connectivity for any device that relies on this router. Based on the description, the attacker must be within wireless range of the target network to broadcast these frames.

Affected Systems

The affected hardware is the Jinan USR IOT Technology Limited PUSR USR‑W610 Wi‑Fi router. No specific firmware versions were supplied; the entire product line appears to be affected.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity. The EPSS score indicates a very low probability of exploitation (<1 %). The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Attackers would need wireless proximity to the target network and can perform the exploit from the air without user authentication, making it a convenient and low‑barrier threat for denial of service. Based on the description, it is inferred that the attack vector is wireless proximity to the target network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jinan USR IOT Technology Limited (PUSR)

USR-W610

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.1.0

No data.

Vendor Product Confidence Versions

Jinan Usr Iot Technology Limited (pusr)

Usr-w610

100%

Version	Status	Scheme	Platform
`[0,3.1.1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.

OpenCVE Recommended Actions

Immediately disconnect the affected PUSR USR‑W610 router from all critical networks or replace it with a device that supports authenticated management frames
Enable WPA2/WPA3 encryption and disable any automatic re‑association features that could be exploited by forged frames
Implement network monitoring tools that detect anomalous deauthentication or disassociation frames and alert administrators
Contact Jinan USR IOT Technology Limited to request a software update or alternative security measures

Generated by OpenCVE AI on April 18, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

History

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610
Vendors & Products		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610

Fri, 20 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker can use this to cause unauthorized disruptions and create a denial-of-service condition.
Title		Jinan USR IOT Technology Limited (PUSR) USR-W610 Missing Authentication for Critical Function
Weaknesses		CWE-306
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Jinan Usr Iot Technology Limited (pusr) Usr-w610

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-02-20T16:06:17.626Z

Updated: 2026-02-20T19:56:09.601Z

Reserved: 2026-02-10T15:52:10.274Z

Link: CVE-2026-26048

Vulnrichment

Updated: 2026-02-20T19:55:55.232Z

NVD

Status : Deferred

Published: 2026-02-20T17:25:53.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26048

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object