Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

What Happened

A critical security flaw was discovered in the PUSR USR-W610 Wi-Fi/Ethernet Converter, a device often used in manufacturing environments. The device's software contains hidden, hard-coded administrative passwords that anyone can extract and use. This matters because an attacker could use these passwords to take complete control of the device over the network. Since the manufacturer has not responded to fix the issue, organizations should immediately isolate these devices from the internet and place them behind secure firewalls.

Key Takeaways

• A critical vulnerability (CVSS 9.8) exists in the PUSR USR-W610 RS232/485 to Wi-Fi/Ethernet Converter.
• Firmware version 7.03T.07 contains hard-coded, plaintext administrative credentials embedded in the image.
• Exploitation allows unauthenticated remote attackers to gain full administrator access to the device.
• The vendor has not responded to CISA's coordination attempts, meaning no official patch is currently available.
• Organizations must rely on network segmentation and isolation to mitigate the risk.

Affected Systems

• Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter version 7.03T.07

Vulnerabilities (CVEs)

• CVE-2026-7786

Attack Chain

An attacker obtains the firmware image for the PUSR USR-W610 device. Through firmware analysis, the attacker extracts the embedded plaintext administrative credentials. The attacker then uses these hard-coded credentials to authenticate to the device's services over the network, gaining full administrative access without requiring prior authorization.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on embedded ICS/IoT converter devices. Network Visibility: Medium — Network monitoring might detect unusual administrative logins or traffic to the device's management ports, but the authentication itself uses valid (though hard-coded) credentials. Detection Difficulty: Hard — The attack uses legitimate administrative credentials, making it difficult to distinguish from authorized administrative access without strict source-IP baselining.

Required Log Sources

• Network flow logs
• Authentication logs (if forwarded by the device)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected administrative logins to PUSR USR-W610 devices originating from non-management IP ranges.	Network flow logs, Firewall logs	Initial Access	Medium

Control Gaps

• Lack of vendor patch or response
• Inability to change hard-coded firmware credentials

Key Behavioral Indicators

• Unexpected successful logins to the device management interface from anomalous IP addresses

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider minimizing network exposure for all PUSR USR-W610 devices, ensuring they are not accessible from the internet.
• Evaluate isolating control system networks and remote devices behind firewalls, separating them from business networks.

Infrastructure Hardening

• If remote access is required, consider using secure methods such as updated Virtual Private Networks (VPNs).
• Evaluate implementing strict network access control lists (ACLs) to restrict access to the device's management interfaces to authorized administrative jump hosts only.

User Protection

• N/A

Security Awareness

• Consider ensuring ICS operators are aware of the risks of unpatched IoT devices and the importance of strict network segmentation.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1078.001 - Valid Accounts: Default Accounts