{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26049", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-10T15:52:10.261Z", "datePublished": "2026-02-20T16:03:56.928Z", "dateUpdated": "2026-02-20T16:07:25.350Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "USR-W610", "vendor": "Jinan USR IOT Technology Limited (PUSR)", "versions": [{"lessThanOrEqual": "3.1.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abhishek Pandey of Payatu Security Consulting reported this to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."}], "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-20T16:07:25.350Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json"}], "source": {"advisory": "ICSA-26-050-03", "discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Jinan USR IOT Technology Limited (PUSR) has stated that the product is \nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \ndevices are encouraged to <a target=\"_blank\" rel=\"nofollow\">contact PUSR</a> and keep their systems up to date.\n\n<br>"}], "value": "Jinan USR IOT Technology Limited (PUSR) has stated that the product is \nend-of-life, and there are no plans to patch. Users of PUSR USR-W610 \ndevices are encouraged to contact PUSR and keep their systems up to date."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{}

{"cveTags": [{"sourceIdentifier": "ics-cert@hq.dhs.gov", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."}], "id": "CVE-2026-26049", "lastModified": "2026-02-20T17:25:53.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-20T17:25:53.623", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}