CVE-2026-25715

Received

Published: 20 Feb 2026, 15:56

Last modified:20 Feb 2026, 15:58

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

20 Feb 2026, 15:56

Published

Vulnerability first disclosed

20 Feb 2026, 15:58

Last Modified

Vulnerability information updated

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Techniques & Countermeasures

CWE-521•Weak Password Requirements
The product does not require that users should have strong passwords.

Affected Systems

jinan usr iot technology limited (pusr)•usr-w610
≤ 3.1.1.0

References (2)