CISA has issued an advisory detailing multiple critical vulnerabilities in Jinan USR IOT Technology Limited's USR-W610 industrial routers, exposing systems to remote takeover risks requiring immediate patching and network segmentation.
The Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory confirming severe security vulnerabilities in Jinan USR IOT Technology Limited's USR-W610 industrial cellular routers. These devices, widely deployed in operational technology (OT) environments for remote management and data transmission, contain multiple unpatched flaws that could enable attackers to gain complete system control. The vulnerabilities affect firmware versions prior to v2.0.8 and remain unaddressed in earlier releases.
Three primary vulnerabilities were documented in the CISA advisory:
- Hardcoded Credentials (CWE-798): Default administrative credentials are embedded in the device firmware, allowing unauthenticated attackers to gain privileged access via Telnet or web interfaces.
- Command Injection (CWE-77): Improper input validation in the
set_ftpconfiguration parameter enables execution of arbitrary commands through specially crafted HTTP requests. - Buffer Overflow (CWE-120): A stack-based overflow in the
set_sysfunction could crash devices or enable remote code execution via oversized input.
Attack vectors primarily target the device's web management interface (port 80) and Telnet service (port 23). Threat actors could chain these vulnerabilities to deploy malware, pivot into industrial control networks, or establish persistent backdoors. While no active exploitation has been confirmed, proof-of-concept exploit code is publicly available, increasing the likelihood of attacks. Industrial environments using these routers for SCADA communications or remote site management are at highest risk.
Defensive recommendations include:
- Immediately upgrading to firmware version v2.0.8 from the PUSR support portal
- Isolating USR-W610 devices in dedicated network segments with strict firewall rules blocking external access to management interfaces
- Disabling Telnet and replacing default credentials even after patching
- Monitoring network traffic for anomalous connections to ports 23/TCP or 80/TCP
Organizations using these devices should conduct compromise assessments focusing on unexpected processes, new user accounts, or outbound connections to unfamiliar IP addresses. Given the device's role in critical infrastructure sectors, this advisory underscores persistent supply chain risks in industrial IoT ecosystems where vendors overlook basic security hygiene during development.
Comments
Please log in or register to join the discussion