CVE-2026-26049

Vulnerability details: The web management interface of the PUSR USR-W610 router renders the current password in a plaintext input field, rather than masking it. This design flaw means that the administrator's password is directly visible on the screen whenever the user views or edits the password field [1]. The issue affects all firmware versions up to and including 3.1.1.0 [1].

Exploitation scenario: An attacker does not need to authenticate to exploit this vulnerability; the exposure occurs simply by having access to the web interface. This could happen through shoulder surfing (looking over the administrator's shoulder), taking a screenshot of the screen, or via browser form caching that stores the plaintext value [1]. The attack vector is local or physical proximity to the device's management interface.

Impact: Successful exploitation allows an attacker to obtain valid administrator credentials, which can then be used to gain full administrative control over the device. This could lead to further compromise, including disabling authentication, authentication, denial-of-service, or theft of other user credentials [1].

Mitigation: As of the advisory publication date (February 20, 2026), the vendor has not released a patch. The affected product is known to be vulnerable, and users are advised to restrict physical and network access to the management interface as a workaround [1].