CVE-2026-7786

Jinan USR IOT Technology Limited · USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

The Jinan USR-W610 converter firmware contains hardcoded plaintext administrative credentials that can be extracted to gain unauthorized access to the device.

Executive summary

A critical vulnerability in the Jinan USR-W610 converter firmware allows unauthorized administrative access due to the inclusion of hardcoded credentials.

Vulnerability

This is an improper neutralization of hardcoded credentials (CWE-798) vulnerability. An unauthenticated attacker can extract these credentials from the firmware image to gain full administrative control over the device.

Business impact

The presence of hardcoded credentials poses a severe risk to operational technology environments where these converters are deployed. Successful exploitation, rated at 9.8 (Critical), grants an attacker full administrative access, potentially leading to unauthorized control of industrial processes, data interception, or the permanent bricking of hardware.

Remediation

Immediate Action: Update the firmware of the USR-W610 device to the latest version provided by the manufacturer.

Proactive Monitoring: Monitor network traffic for unauthorized administrative logins to the converter and review system logs for anomalies originating from the device.

Compensating Controls: Isolate the converter device within a restricted VLAN and restrict administrative interface access to known, secure management IP addresses.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability represents a significant security oversight that provides attackers with a direct path to device compromise. Administrators must prioritize updating the firmware to remediate the hardcoded credentials and prevent unauthorized access to these critical industrial assets.