OTPulse

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

Plan PatchCVSS 9.8ICS-CERT ICSA-26-148-02May 28, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The USR-W610 RS232/485 to Wi-Fi/Ethernet converter (firmware 7.03T.07) contains a hardcoded credentials or authentication bypass vulnerability that allows remote attackers to gain administrator access without valid credentials. Successful exploitation grants an attacker full administrative control over the device, which could be used to intercept, modify, or block communications to connected serial devices. The vendor did not respond to CISA coordination attempts and no patch has been released.

What this means
What could happen
An attacker with network access to the device could gain administrator access and run arbitrary commands, allowing them to intercept, modify, or block serial RS232/485 data to and from your PLCs, RTUs, or other control equipment.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using USR-W610 converters to bridge RS232/485 industrial devices (PLCs, RTUs, meters, sensors) to Ethernet or Wi-Fi networks are affected. This includes any facility relying on these converters for remote monitoring or control of SCADA systems, pump stations, or distribution equipment.
How it could be exploited
The attacker sends a specially crafted network request to the Wi-Fi/Ethernet port of the converter. The device does not properly authenticate or validate the request and grants administrator privileges, allowing the attacker to reconfigure settings, access serial data, or pivot to connected control systems.
Prerequisites
  • Network access to the USR-W610 Wi-Fi or Ethernet port
  • No credentials required
Remotely exploitableNo authentication requiredLow complexityUnauthenticated network accessVendor did not patch or coordinate with CISANo patch available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
USR-W610 RS232/485 to Wi-Fi/Ethernet Converter: 7.03T.077.03T.07No fix yet
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to the USR-W610 device to only authorized engineering workstations and control systems using firewall rules or network segmentation
HARDENINGMonitor the USR-W610 device for unusual configuration changes or unauthorized access attempts
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Jinan USR IOT Technology Limited directly to inquire about available security updates and patches
Long-term hardening
0/1
HARDENINGIsolate the USR-W610 on a dedicated control network segment separate from office IT networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/338355a1-ac20-4457-93aa-8727ccb0d273

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter | CVSS 9.8 - OTPulse