CVE-2026-25715 is a critical security vulnerability identified in the USR-W610 device manufactured by Jinan USR IOT Technology Limited (PUSR). The vulnerability arises because the device's web management interface allows the administrator username and password to be set to blank values. Once these blank credentials are applied, the device permits authentication without any credentials over both the web management interface and the Telnet service. This effectively disables all authentication mechanisms on critical management channels, allowing any attacker with network adjacency to gain full administrative privileges without needing any valid credentials. The root cause is linked to improper credential validation, classified under CWE-521 (Weak Password Requirements). The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, no required privileges, no user interaction, and impacts on confidentiality, integrity, and availability. No patches or fixes have been released yet, and there are no known exploits in the wild. The vulnerability affects all versions of the USR-W610 device as indicated. This flaw can lead to complete device takeover, enabling attackers to manipulate device configurations, disrupt operations, or pivot into internal networks.

The impact of CVE-2026-25715 is severe for organizations deploying the USR-W610 device. Since the vulnerability allows unauthenticated administrative access, attackers can fully control the device, leading to potential data breaches, network disruption, and unauthorized surveillance or manipulation of IoT infrastructure. The compromise of such devices can serve as a foothold for lateral movement within corporate or industrial networks, potentially affecting critical systems. Given the device’s role in IoT environments, this could disrupt operational technology (OT) systems or critical infrastructure. The lack of authentication also increases the risk of automated attacks and worm propagation. Organizations relying on these devices may face operational downtime, loss of sensitive information, and reputational damage. The vulnerability’s network-adjacent attack vector means that attackers do not need physical access, increasing the attack surface significantly.

Until an official patch is released, organizations should implement immediate compensating controls. First, restrict network access to the USR-W610 management interfaces by implementing strict firewall rules and network segmentation to limit access only to trusted administrators. Disable Telnet service if possible, or restrict it to secure management networks. Monitor network traffic and device logs for any unauthorized access attempts or unusual activity. Change default credentials to strong, non-blank passwords and verify that blank credentials cannot be set. If the device allows firmware upgrades, check regularly for vendor updates or advisories. Consider replacing vulnerable devices with more secure alternatives if mitigation is not feasible. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts. Conduct regular security audits of IoT devices and enforce strict password policies. Finally, educate network administrators about this vulnerability and the importance of securing IoT management interfaces.