A USR-W610 converter with full administrative control handed to an attacker becomes a bridge between your corporate IP network and the legacy industrial equipment it connects — programmable controllers, sensors, and serial-protocol devices that may govern physical processes. An attacker who exploits this vulnerability could reconfigure, disable, or manipulate connected industrial assets, causing operational downtime, equipment damage, or safety incidents depending on what the converter serves. Because the same credentials apply to every unpatched unit globally, a single publicly disclosed credential set creates simultaneous exposure across every affected deployment, with no need for attacker sophistication or prior network access beyond reaching the management interface.
You Are Affected If
You operate Jinan USR IOT Technology Limited PUSR USR-W610 RS232/RS485-to-Wi-Fi/Ethernet converters running firmware version 7.03T.07
The device management interface (web UI on TCP 80 or Telnet on TCP 23) is reachable from an untrusted network segment, including the general corporate LAN
No firmware update removing hard-coded credentials has been applied, and no compensating network access control restricts management interface access
The converter bridges RS232 or RS485 serial equipment to your IP network in an OT, ICS, or industrial production environment
Your asset inventory (CIS 1.1) does not currently include IoT/OT serial converters, meaning affected devices may be present but untracked
Board Talking Points
A critical flaw in a widely deployed industrial networking device gives any attacker full remote control using a single shared password that cannot be changed in the firmware — every unpatched device is equally exposed.
Security teams should immediately locate all affected devices, isolate their management interfaces from untrusted networks, and apply vendor firmware updates within 72 hours of patch availability.
Without action, an attacker who obtains the hard-coded credentials — which may already be publicly accessible — can access and manipulate the industrial equipment these converters connect, risking operational outages or physical process disruption.
NERC CIP — if USR-W610 converters are deployed in bulk electric system environments, hard-coded credentials on OT-boundary devices may implicate CIP-007 (Systems Security Management) and CIP-005 (Electronic Security Perimeters) requirements
IEC 62443 — converters bridging RS232/RS485 serial equipment to IP networks in industrial control system environments fall within IEC 62443-3-3 zone and conduit security requirements; hard-coded credentials violate SR 1.5 (Authenticator Management)
