CVE-2026-24455 identifies a critical security weakness in the USR-W610 device manufactured by Jinan USR IOT Technology Limited. The core issue is the absence of HTTPS/TLS support on the device's embedded web interface, which relies solely on HTTP Basic Authentication. While the authentication data is encoded (likely Base64), it is not encrypted, making it trivial for an attacker with network access to intercept and decode user credentials. This vulnerability falls under CWE-319, which pertains to the cleartext transmission of sensitive information. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality (C:H) but not integrity or availability. The device’s firmware version 0 is affected, and no patches have been published yet. The vulnerability is particularly concerning in local network environments where attackers can sniff traffic, such as unsecured Wi-Fi or compromised LAN segments. The lack of encryption means that any attacker on the same network segment can capture login credentials, potentially leading to unauthorized access and further exploitation. Although no exploits are known in the wild, the ease of exploitation and the critical nature of credential exposure warrant immediate attention.

The primary impact of this vulnerability is the compromise of user credentials through passive network interception, leading to unauthorized access to the device’s management interface. This can result in attackers gaining control over the device, potentially manipulating its functions or using it as a foothold for lateral movement within the network. Since the vulnerability does not affect integrity or availability directly, the immediate risk is confidentiality loss. However, once credentials are compromised, attackers could alter device configurations or disrupt services, indirectly impacting integrity and availability. Organizations deploying these devices in sensitive environments, such as industrial control systems, smart buildings, or critical infrastructure, face heightened risks of espionage, sabotage, or data breaches. The vulnerability’s exploitation could undermine trust in IoT deployments and lead to regulatory or compliance issues, especially where data protection laws mandate secure authentication mechanisms.

To mitigate this vulnerability, organizations should first isolate the USR-W610 devices on segmented networks with strict access controls to limit exposure to untrusted users. Employing VPNs or secure tunnels can encrypt traffic between administrators and the device, compensating for the lack of native HTTPS/TLS support. Network monitoring and intrusion detection systems should be configured to detect suspicious sniffing or unauthorized access attempts. Where possible, replace affected devices with models supporting secure authentication protocols such as HTTPS with TLS. If replacement is not immediately feasible, enforce strong, unique passwords and change them regularly to reduce the risk from intercepted credentials. Additionally, vendors should be engaged to prioritize firmware updates that implement HTTPS/TLS support and stronger authentication mechanisms. Finally, educating network administrators about the risks of using devices without encrypted management interfaces is essential to prevent inadvertent exposure.