No Patch for the EOL: CISA Warns of Critical 9.8 Severity Flaw in USR-W610 IoT Devices

The Cybersecurity and Infrastructure Security Agency (CISA) issues a warning regarding multiple critical vulnerabilities in widely deployed industrial IoT devices. The advisory highlights a series of foundational security failures in the USR-W610 Wi-Fi Serial Device Server, manufactured by Jinan USR IOT Technology Limited (PUSR).

Perhaps most concerning for administrators is the news that these devices have reached their end-of-life (EOL) status, meaning no official patches are on the horizon to close these digital barn doors.

The most devastating flaw in the batch is CVE-2026-25715, which carries a critical severity rating of 9.8.

The vulnerability stems from a fundamental logic error in the device’s management settings. According to the advisory, “The web management interface of the device allows the administrator username and password to be set to blank values”.

Once this configuration is applied, the consequences are catastrophic for network integrity. The report warns that “the device permits authentication with empty credentials over the web management interface and Telnet service”. This “effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials”.

Beyond the login bypass, the USR-W610 suffers from a lack of modern cryptographic standards and poor UI security:

• Cleartext Interception (CVE-2026-24455): The device lacks support for HTTPS/TLS, relying instead on antiquated HTTP Basic Authentication. This ensures that “traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network”.
• Plaintext Password Visibility (CVE-2026-26049): In a major blow to physical security, the web interface “renders the passwords in a plaintext input field”. This oversight leaves administrator credentials “directly visible to anyone with access to the UI,” exposing them to “shoulder surfing, screenshots, or browser form caching”.
• Wi-Fi De-authentication (CVE-2026-26048): The router is also vulnerable to localized disruption because it lacks Management Frame Protection. This allows an attacker to broadcast forged frames to “cause unauthorized disruptions and create a denial-of-service condition”.

The vendor, Jinan USR IOT Technology Limited, has officially stated that “the product is end-of-life, and there are no plans to patch”. This leaves the USR-W610 (version 3.1.1.0 and below) permanently vulnerable to “authentication being disabled, a denial-of-service condition, or an attacker stealing valid user credentials”.

With no fixes incoming, CISA and security researchers urge users to immediately retire affected units or isolate them within strictly segmented networks where no unauthorized “network-adjacent” actors can reach the management interfaces.