CVE-2026-7786 - Vulnerability Details

- Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials

Description

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter
device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services.

Published: 2026-05-29

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The firmware of the Jinan USR IOT Technology Limited (PUSR) USR‑W610 RS232/485 to Wi‑Fi/Ethernet Converter contains plaintext administrative credentials that can be extracted by analyzing the firmware image. An attacker who obtains these credentials can authenticate as an administrator to device services, gaining full control over configuration and operation. This compromise enables an unauthorized user to change settings, exfiltrate data, and potentially pivot to other assets on the network.

Affected Systems

Jinan USR IOT Technology Limited (PUSR) USR‑W610 RS232/485 to Wi‑Fi/Ethernet Converter. No specific firmware versions are listed, so all current builds of this device are potentially affected.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so no known exploits are reported. However, the presence of hard‑coded credentials means that exploitation is straightforward for anyone who can access the firmware or connect to the device’s management interface. The likely attack vectors include downloading the firmware for analysis or directly accessing the device over its network interface, where the hard‑coded username and password are accepted without further verification.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jinan USR IOT Technology Limited (PUSR)

USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

unaffected

Version	Status	Constraints
`7.03T.07`	affected	—

No data.

Vendor Product Confidence Versions

Jinan Usr Iot Technology Limited (pusr)

Usr-w610 Rs232/485 To Wi-fi/ethernet Converter

100%

Version	Status	Scheme	Platform
`7.03T.07`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Jinan USR IOT Technology Limited (PUSR) did not respond to CISA's attempts at coordination. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.

OpenCVE Recommended Actions

Contact PUSR to obtain an updated firmware release that removes hard‑coded credentials.
If a firmware update is not yet available, immediately change all default administrative passwords to unique, complex credentials.
Restrict network access to the device’s management interface and disable unused services to limit exposure.

Generated by OpenCVE AI on May 29, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00529.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-02.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02

History

Sat, 30 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610 Rs232/485 To Wi-fi/ethernet Converter
Vendors & Products		Jinan Usr Iot Technology Limited (pusr) Jinan Usr Iot Technology Limited (pusr) usr-w610 Rs232/485 To Wi-fi/ethernet Converter

Fri, 29 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services.
Title		Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials
Weaknesses		CWE-798
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-02.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Jinan Usr Iot Technology Limited (pusr) Usr-w610 Rs232/485 To Wi-fi/ethernet Converter

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-05-29T17:11:33.184Z

Updated: 2026-05-29T19:31:38.170Z

Reserved: 2026-05-04T16:07:42.001Z

Link: CVE-2026-7786

Vulnrichment

Updated: 2026-05-29T19:31:31.968Z

NVD

Status : Deferred

Published: 2026-05-29T18:17:13.403

Modified: 2026-06-16T16:03:27.593

Link: CVE-2026-7786

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-30T21:18:20Z

Weaknesses

CWE-798
Use of Hard-coded Credentials

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object