CVE-2026-24455

Summary

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.

Affected Software

VendorProductVersion RangeStatus
Jinan USR IOT Technology Limited (PUSR)USR-W6100 <= 3.1.1.0affected

Weaknesses

  • CWE-319: CWE-319

Workarounds

Jinan USR IOT Technology Limited (PUSR) has stated that the product is end-of-life, and there are no plans to patch. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References