Critical

Authentication bypass via blank admin credentials in PUSR USR-W610 (<= 3.1.1.0)

IdentifiersCVE-2026-25715CWE-521· Weak Password Requirements

CVE-2026-25715 is a weak password requirements vulnerability in the Jinan USR IOT Technology Limited (PUSR) USR-W610 Wi‑Fi router (versions up to and including 3.1.1.0) where the web management interface permits the administrator username and password to be set to blank (empty) values. After these blank credentials are applied, the device accepts authentication attempts with empty credentials over both the web management interface and the Telnet service, effectively disabling authentication on critical management channels and enabling unauthorized administrative access.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker with network access to the device’s management interfaces can authenticate using empty credentials and obtain full administrative control. This results in complete compromise of confidentiality, integrity, and availability of the device (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Mitigation

If you can’t patch tonight, do this now.

Minimize exposure of the device management interfaces (web UI and Telnet) to untrusted networks; ensure they are not accessible from the internet. Place control system/OT networks and remote devices behind firewalls and isolate them from business networks, per CISA guidance in ICSA-26-050-03.

Remediation

Patch, then assume compromise.

Apply vendor-provided fixed firmware/software updates for the PUSR USR-W610 addressing CVE-2026-25715 (CISA ICS advisory ICSA-26-050-03). Ensure administrative accounts cannot be configured with blank usernames/passwords and that any existing blank credentials are replaced with strong, non-empty credentials.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cvefeed high severityNews

Feb 20, 2026

CVE-2026-25715 - Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements

An authentication bypass / insecure configuration vulnerability where the device permits setting blank admin credentials and then allows login with empty credentials over web management and Telnet, enabling unauthenticated administrative access for a network-adjacent attacker.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-25715

NVD

nvd.nist.gov/vuln/detail/CVE-2026-25715

MITRE CWE · CWE-521

Weak Password Requirements

github.com

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json

cisa.gov

cisa.gov/news-events/ics-advisories/icsa-26-050-03