CISA flags hardcoded credentials in PUSR USR-W610 ICS converter
A CVSS 9.8 flaw with no patch, no vendor response, and no domestic fallback leaves critical manufacturing operators holding the bag.
TL;DR
CISA advisory ICSA-26-148-02 covers CVE-2026-7786 (CVSS 9.8), a hardcoded-credential flaw in firmware version 7.03T.07 of the Jinan USR IOT Technology (PUSR) USR-W610 RS232/485-to-Wi-Fi converter. Plaintext admin credentials embedded in the firmware image can be extracted and used to authenticate remotely with no prior privileges. PUSR did not respond to CISA coordination attempts; there is no patched firmware and no remediation timeline. CISA's guidance: isolate, firewall, and use VPNs, standard ICS hardening with no device-level fix available.
CVE-2026-7786 is about as bad as it reads: plaintext administrative credentials baked into the firmware image of a device designed to bridge legacy RS232/485 serial equipment to Wi-Fi and Ethernet in production manufacturing environments. CVSS 3.1 scores it 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), meaning network-reachable, no complexity, no credentials required, no user interaction. Any operator who has placed a USR-W610 running firmware 7.03T.07 on a segment reachable from an untrusted network has, functionally, a device with a public admin password.
No patch, no response
CISA's coordination with the vendor produced nothing. Jinan USR IOT Technology Limited (PUSR), headquartered in China, did not respond to outreach, and the advisory lists no patched firmware version and no remediation timeline. The only entry under "Remediations" is a suggestion that operators contact PUSR themselves and keep systems current, advice that is circular when the vendor won't respond and no update exists.
That leaves affected organizations with network controls as the only real lever. CISA's recommended practices here are standard ICS hygiene: remove the device from any internet-reachable segment, isolate control system networks behind firewalls, and require VPN for any remote access. Those measures reduce exposure but do not close the vulnerability. A device with hardcoded credentials is compromised by anyone who has extracted and published those credentials, regardless of network segmentation, segmentation just controls who gets to the login prompt first.
What practitioners do Monday
If USR-W610 converters appear in your asset inventory, the immediate question is network position. Devices sitting on a flat network between IT and OT, or accessible via any remote-access path, carry material risk right now. Firmware analysis of the kind described in the advisory (CWE-798) is not an advanced technique; credential extraction from embedded firmware is a published discipline with widely available tooling.
Longer term, this device has no remediation path from the vendor and operates in the critical manufacturing sector. Defense-industrial-base contractors running serial-to-Wi-Fi converters for shop-floor or production-line connectivity should verify whether USR-W610 is in scope and, if so, treat replacement planning as a near-term action, not a future roadmap item. There is no indication PUSR will produce a patched firmware, and CISA has no mechanism to compel one.
Researchers Arun Mane and Omkar Mali reported the vulnerability to CISA.
Published ·Updated ·Deep Fathom