CISA Warns of Critical Hard-Coded Credentials in PUSR USR-W610 Industrial Converters
CISA disclosed a critical vulnerability (CVE-2026-7786, CVSS 9.8) in Jinan USR IOT's USR-W610 RS232/485 to Wi-Fi/Ethernet converter, where hard-coded plaintext admin credentials in the firmware allow unauthenticated remote attackers to gain full device control.
CISA has issued an advisory warning of a critical vulnerability in the Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet converter, a device widely deployed in critical manufacturing sectors worldwide. The flaw, tracked as CVE-2026-7786 and carrying a CVSS score of 9.8, stems from hard-coded plaintext administrative credentials embedded directly in the device firmware. An attacker who extracts the firmware—a straightforward process given the lack of obfuscation—can obtain these credentials and authenticate to device services over the network, gaining full administrator access.
The affected product is the USR-W610 running firmware version 7.03T.07. The device is used to bridge legacy serial equipment (RS232/485) to modern Wi-Fi or Ethernet networks, making it a common component in industrial control system (ICS) environments. Because these converters often sit at the edge of operational technology networks, a compromise could allow attackers to pivot deeper into critical manufacturing infrastructure, potentially disrupting production lines or exfiltrating sensitive data.
CISA reported that the vendor, Jinan USR IOT Technology Limited (PUSR), did not respond to coordination attempts. As a result, no official patch or firmware update has been released. The advisory recommends that users contact PUSR directly and keep systems updated, but with no vendor response, organizations must rely on defensive measures. CISA urges minimizing network exposure of these devices, ensuring they are not accessible from the internet, and isolating them behind firewalls and VPNs.
The vulnerability was reported to CISA by researchers Arun Mane and Omkar Mali. As of the advisory date (May 28, 2026), no public exploitation of CVE-2026-7786 has been reported. However, the ease of exploitation—requiring no authentication and no user interaction—makes it a prime target for threat actors scanning for exposed industrial devices. Shodan and similar search engines likely index these converters, amplifying the risk.
This advisory is part of a broader pattern of CISA warnings about hard-coded credentials in industrial IoT devices. Similar flaws have been disclosed in recent months in products from Danelec MacGregor, KMW, and others, highlighting a persistent weakness in the ICS supply chain. The lack of vendor response in this case underscores the challenges of securing devices from manufacturers with limited security maturity or willingness to engage with disclosure programs.
Organizations using the PUSR USR-W610 should immediately audit their networks for exposed instances, apply strict access controls, and consider replacing the device with a vendor-supported alternative if possible. Until a patch emerges, the only reliable mitigation is network segmentation and monitoring for anomalous administrative logins.