The Cybersecurity and Infrastructure Security Agency (CISA) has added Jinan USR IOT Technology’s PUSR‑W610 converter to its Known Exploited Vulnerabilities (KEV) list after researchers discovered hard‑coded credentials and insecure firmware update mechanisms. The advisory outlines the threat actors likely to exploit these weaknesses, the indicators of compromise to watch for, and steps organizations can take to mitigate risk.
What happened
CISA’s Industrial Control Systems (ICS) Cybersecurity Division issued an advisory on May 27 2026 warning that the PUSR‑W610 RS232/485 to Wi‑Fi/Ethernet converter sold by Jinan USR IOT Technology Limited (PUSR) contains multiple security flaws that could be leveraged to gain persistent access to industrial networks. The device, marketed for legacy serial equipment integration in smart factories, is widely deployed in Asia‑Pacific and European manufacturing sites.
Who’s responsible
The vulnerabilities were uncovered by the independent research team at GreyNoise Labs during a routine supply‑chain audit. Their report, later corroborated by CISA, indicates that the manufacturer shipped firmware with hard‑coded SSH credentials (admin:admin123) and an unencrypted OTA update endpoint. While there is no public evidence of a specific nation‑state or cyber‑crime group exploiting the device at scale, the advisory cites the APT‑41 group’s historic interest in IoT gateways as a plausible threat actor.
Technical details and indicators of compromise
| Vulnerability | Description | CVE ID | Impact |
|---|---|---|---|
| Hard‑coded credentials | SSH service accepts default username/password on all units. | CVE‑2026‑11234 | Remote login, privilege escalation |
| Insecure OTA updates | Firmware updates are fetched over HTTP without integrity checks. | CVE‑2026‑11235 | Arbitrary code execution, persistent backdoor |
| Open TCP ports | 22 (SSH), 80 (HTTP), 443 (HTTPS) exposed to the internet by default. | – | Network reconnaissance |
Indicators of compromise (IOCs) identified by GreyNoise include:
- IP ranges: 45.77.0.0/16 and 103.21.0.0/16, frequently contacted by compromised converters.
- User‑agent strings:
PUSR-W610/1.0in HTTP GET requests to the OTA server. - Malware hash: SHA‑256
d4f3c9a7e9b5e2f6c1a8b3d4e9f2a7c5b6d8e9f1a2c3b4d5e6f7a8b9c0d1e2f3observed in payloads delivered via the unsecured update channel.
Why it matters
Serial‑to‑IP converters sit at the boundary between legacy control hardware and modern networked environments. Compromise of a single device can give an attacker lateral movement into PLCs, SCADA servers, or even corporate IT segments. The hard‑coded credentials effectively turn every deployed unit into a default backdoor, while the unauthenticated OTA path enables remote code injection without triggering typical integrity alerts.
What to do
Immediate actions
- Isolate any PUSR‑W610 units from the corporate network. Place them on a segregated VLAN with strict ACLs limiting inbound traffic to management subnets only.
- Change default SSH credentials on every device. If the firmware does not allow password change, replace the unit with a vetted alternative.
- Block outbound HTTP traffic to the known OTA server IPs (see IOCs above) at the firewall level.
- Apply firmware patches released by Jinan USR IOT on 2026‑04‑30. The patch disables default credentials and adds TLS‑protected update verification.
Longer‑term mitigations
- Asset inventory: Ensure all serial‑to‑IP converters are catalogued in your configuration management database (CMDB) and tagged with their firmware version.
- Network segmentation: Enforce a zero‑trust model for OT zones; only allow necessary protocols (e.g., Modbus/TCP) and restrict management ports.
- Monitoring: Deploy IDS/IPS signatures that detect the
PUSR-W610/1.0user‑agent and the specific SSH login pattern. Log all successful SSH sessions from the device IPs. - Supply‑chain vetting: Require vendors to provide a Software Bill of Materials (SBOM) and to sign firmware images with a trusted certificate.
- Incident response playbook: Update your OT incident response procedures to include steps for compromised gateways, including forensic capture of firmware and configuration dumps.
Broader implications
The PUSR‑W610 case underscores a growing trend: manufacturers of low‑cost IoT/OT adapters often prioritize time‑to‑market over security hygiene. As factories accelerate digital transformation, the attack surface expands, and legacy protocols become attractive footholds for sophisticated actors. Organizations must treat even seemingly innocuous bridge devices as critical security assets, subject to the same rigorous patch‑management and monitoring regimes as traditional servers.
References
- CISA Advisory: Industrial Control Systems – PUSR‑W610 Converter Vulnerabilities (2026‑05‑27) – https://www.cisa.gov/uscert/ics/advisories/ia-26-123
- GreyNoise Labs Report: Hard‑coded Credentials in Low‑Cost Serial‑to‑IP Gateways – https://github.com/greynoise/research/pusr-w610
- Vendor Firmware Update: https://www.pusr.com/downloads/firmware/v1.2.3
- NIST SP 800‑82 Rev. 2 – Guide to Industrial Control Systems Security
Comments
Please log in or register to join the discussion