CVE-2026-25715 | The web management interface of the device allows the admini… | CVSS 9.8 CRITICAL

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Metadata

CVE ID: CVE-2026-25715
State: PUBLISHED
Assigner: icscert
Reserved: 2026-02-10 15:52 UTC
Published: 2026-02-20 15:56 UTC
Last updated: 2026-02-20 20:03 UTC
Primary CWE: CWE-521
CWE-521
Vendor / Product: Jinan USR IOT Technology Limited (PUSR) / USR-W610
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Jinan USR IOT Technology Limited (PUSR)	USR-W610	—	0 ≤ 3.1.1.0

Weakness (CWE)

CWE	Source	Description
CWE-521	cna	CWE-521

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)