CVE-2026-26049 (GCVE-0-2026-26049)

Vulnerability from cvelistv5 – Published: 2026-02-20 16:03 – Updated: 2026-02-20 19:58 Unsupported When Assigned
VLAI?
Title
Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials
Summary
The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form caching.
Severity ?
5.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
Jinan USR IOT Technology Limited (PUSR) USR-W610 Affected: 0 , ≤ 3.1.1.0 (custom)
Create a notification for this product.
Credits
Abhishek Pandey of Payatu Security Consulting reported this to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T19:57:14.798564Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T19:58:24.669Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "USR-W610",
          "vendor": "Jinan USR IOT Technology Limited (PUSR)",
          "versions": [
            {
              "lessThanOrEqual": "3.1.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abhishek Pandey of Payatu Security Consulting reported this to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."
            }
          ],
          "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T16:07:25.350Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json"
        }
      ],
      "source": {
        "advisory": "ICSA-26-050-03",
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Jinan USR IOT Technology Limited (PUSR) has stated that the product is \nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \ndevices are encouraged to \u003ca target=\"_blank\" rel=\"nofollow\"\u003econtact PUSR\u003c/a\u003e and keep their systems up to date.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Jinan USR IOT Technology Limited (PUSR) has stated that the product is \nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \ndevices are encouraged to contact PUSR and keep their systems up to date."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-26049",
    "datePublished": "2026-02-20T16:03:56.928Z",
    "dateReserved": "2026-02-10T15:52:10.261Z",
    "dateUpdated": "2026-02-20T19:58:24.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26049\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T19:57:14.798564Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T19:58:08.412Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials\", \"source\": {\"advisory\": \"ICSA-26-050-03\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Abhishek Pandey of Payatu Security Consulting reported this to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Jinan USR IOT Technology Limited (PUSR)\", \"product\": \"USR-W610\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.1.1.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Jinan USR IOT Technology Limited (PUSR) has stated that the product is \\nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \\ndevices are encouraged to contact PUSR and keep their systems up to date.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Jinan USR IOT Technology Limited (PUSR) has stated that the product is \\nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \\ndevices are encouraged to \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\"\u003econtact PUSR\u003c/a\u003e and keep their systems up to date.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The web management interface of the device renders the passwords in a \\nplaintext input field. The current password is directly visible to \\nanyone with access to the UI, potentially exposing administrator \\ncredentials to unauthorized observation via shoulder surfing, \\nscreenshots, or browser form caching.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The web management interface of the device renders the passwords in a \\nplaintext input field. The current password is directly visible to \\nanyone with access to the UI, potentially exposing administrator \\ncredentials to unauthorized observation via shoulder surfing, \\nscreenshots, or browser form caching.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-02-20T16:07:25.350Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26049\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T19:58:24.669Z\", \"dateReserved\": \"2026-02-10T15:52:10.261Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-02-20T16:03:56.928Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.