CVE-2026-25715 is a critical security vulnerability affecting the USR-W610 device produced by Jinan USR IOT Technology Limited (PUSR). The vulnerability arises because the device's web management interface allows the administrator username and password to be configured as empty strings. When this configuration is applied, the device permits authentication with blank credentials on both the web interface and the Telnet service. This effectively disables authentication controls, allowing any attacker with network adjacency to access the device's management interfaces without any credentials. The vulnerability is classified under CWE-521, which concerns the use of hard-coded or empty passwords, a well-known security weakness that severely undermines authentication mechanisms. The CVSS v3.1 base score is 9.8, reflecting the vulnerability's critical impact on confidentiality, integrity, and availability, combined with its ease of exploitation (no privileges or user interaction required). The flaw affects all versions indicated (version 0 listed) and was published on February 20, 2026. No patches or known exploits have been reported yet, but the potential for abuse is significant given the administrative access granted upon exploitation. The vulnerability compromises the core security of the device, which is likely used in IoT deployments requiring secure remote management.

The impact of CVE-2026-25715 is severe for organizations using the USR-W610 device. By allowing authentication with empty credentials, attackers can gain full administrative control over the device without any prior access or credentials. This can lead to complete compromise of the device, enabling attackers to alter configurations, disrupt device operations, intercept or manipulate data, and potentially pivot to other network resources. The vulnerability affects both web management and Telnet services, increasing the attack surface. Given that IoT devices like the USR-W610 are often deployed in critical infrastructure, industrial environments, or enterprise networks, exploitation could result in operational disruptions, data breaches, and loss of control over networked systems. The ease of exploitation and lack of authentication barriers make this vulnerability particularly dangerous, potentially allowing widespread unauthorized access in environments where these devices are deployed. The absence of known exploits in the wild does not diminish the urgency, as the vulnerability is straightforward to exploit once discovered.

To mitigate CVE-2026-25715, organizations should immediately audit all USR-W610 devices to ensure that administrator credentials are not set to blank values. If blank credentials are detected, they must be changed to strong, unique passwords immediately. Network segmentation should be employed to isolate these devices from untrusted networks and limit access to management interfaces strictly to authorized personnel and systems. Disable Telnet access if not required, or restrict it via firewall rules and access control lists. Monitor network traffic and device logs for unauthorized access attempts or anomalous behavior indicative of exploitation. Since no patches are currently available, consider deploying compensating controls such as VPNs or jump hosts for secure management access. Engage with the vendor for updates or firmware patches and apply them promptly once released. Additionally, implement multi-factor authentication if supported by the device or management infrastructure to add an extra layer of security.