CVE-2026-24455 identifies a security vulnerability in the USR-W610 device manufactured by Jinan USR IOT Technology Limited (PUSR). The core issue lies in the device's embedded web interface, which relies on HTTP Basic Authentication transmitted over unencrypted HTTP connections. While the credentials are encoded (likely base64), they are not encrypted, making them susceptible to passive interception by any attacker sharing the same network segment. This vulnerability corresponds to CWE-319, which concerns the cleartext transmission of sensitive information. The lack of HTTPS/TLS support means that all authentication traffic is exposed to network sniffing tools, enabling attackers to capture usernames and passwords without active interaction or elevated privileges. The CVSS v3.1 score of 7.5 reflects a high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality. The vulnerability affects all versions of the USR-W610 device, and no patches or mitigations have been officially released as of the publication date. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk in environments where the device is deployed, especially in unsecured or shared network environments.

The primary impact of this vulnerability is the compromise of user credentials through passive network interception. Attackers on the same local network can easily capture authentication tokens, leading to unauthorized access to the device's management interface. This can result in attackers gaining control over the device, potentially manipulating its functions, disrupting operations, or using it as a foothold for further network intrusion. Since the vulnerability does not affect integrity or availability directly, the main concern is confidentiality breach. However, once credentials are compromised, attackers could alter device configurations or firmware, indirectly impacting integrity and availability. Organizations relying on the USR-W610 for critical IoT functions may face operational disruptions, data breaches, or lateral movement within their networks. The risk is heightened in environments with poor network segmentation or where these devices are accessible from less secure network zones.

To mitigate this vulnerability, organizations should implement strict network segmentation to isolate the USR-W610 devices from general user networks and untrusted devices. Deploying Virtual Private Networks (VPNs) or secure tunnels for accessing the device management interface can protect credentials from interception. If possible, replace the USR-W610 with devices supporting HTTPS/TLS and stronger authentication mechanisms. Network administrators should monitor network traffic for suspicious activity indicative of credential interception attempts. Employing network intrusion detection systems (NIDS) with signatures for HTTP Basic Authentication traffic can help detect potential exploitation. Additionally, enforcing strong, unique passwords and changing default credentials reduces the risk of unauthorized access if credentials are compromised. Until an official patch or firmware update is released, these compensating controls are critical to reduce exposure.