CVE-2026-26049 - Vulnerability Details

- Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials

Description

The web management interface of the device renders the passwords in a
plaintext input field. The current password is directly visible to
anyone with access to the UI, potentially exposing administrator
credentials to unauthorized observation via shoulder surfing,
screenshots, or browser form caching.

Published: 2026-02-20

Score: 5.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The web management interface of the PUSR USR‑W610 device displays the current administrator password in a plaintext input field. An individual with access to the interface can observe the entire password, exposing credentials to shoulder‑surfing attacks, screenshots, or browser form caching. This vulnerability allows malicious actors to obtain valid authentication credentials, potentially enabling unauthorized configuration changes or network access if the credentials are used elsewhere.

Affected Systems

This issue affects the PUSR USR‑W610 model produced by Jinan USR IOT Technology Limited. No specific firmware or hardware revision numbers are provided, so all units of this model are considered vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.7, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed public exploits. The likely attack vector is local to anyone who can access the device’s management interface, either physically or over a network where the UI is reachable. Due to the lack of a vendor patch and the device’s end‑of‑life status, the risk persists until mitigated by configuration changes or device replacement.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jinan USR IOT Technology Limited (PUSR)

USR-W610

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.1.0

No data.

Vendor Product Confidence Versions

Jinan Usr Iot Technology Limited (pusr)

Usr-w610

100%

Version	Status	Scheme	Platform
`[0,3.1.1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.

OpenCVE Recommended Actions

Restrict access to the device’s web management interface to a trusted internal network or VPN only.
Change the administrator password to a strong, unique value and enforce periodic password updates.
Replace or upgrade the device to a vendor‑maintained alternative that securely stores credentials and removes plaintext password rendering.

Generated by OpenCVE AI on April 17, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

History

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610
Vendors & Products		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610

Fri, 20 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form caching.
Title		Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials
Weaknesses		CWE-522
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03
Metrics		cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}`

Subscriptions

Jinan Usr Iot Technology Limited (pusr) Usr-w610

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-02-20T16:03:56.928Z

Updated: 2026-02-20T19:58:24.669Z

Reserved: 2026-02-10T15:52:10.261Z

Link: CVE-2026-26049

Vulnrichment

Updated: 2026-02-20T19:58:08.412Z

NVD

Status : Deferred

Published: 2026-02-20T17:25:53.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26049

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses

CWE-522

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object