Hardcoded Administrative Credentials in PUSR USR-W610 Firmware

Successful exploitation allows an attacker to recover valid administrative credentials and obtain unauthorized administrative access to the affected converter. With administrative control of the device, an attacker may hijack the connectivity device, intercept or modify data traversing between connected machines, disrupt trusted serial-to-network communications, and use the device as a foothold for lateral movement into adjacent local or operational technology networks. The provided context characterizes the issue as critical and assigns a CVSS score of 9.8.

Immediate defensive measures identified in the provided content are to isolate affected assets, enforce strict access control lists around device access, and disable management interfaces exposed to the public internet. More broadly, management access should be restricted to trusted administrative networks only until a vendor fix or credential rotation mechanism is available. The provided content does not include a confirmed vendor patch or firmware update.

Remove embedded static administrative credentials from the firmware and redesign authentication so that each device requires unique credentials provisioned securely at manufacture or first boot. Rotate or invalidate any affected credentials, release updated firmware that eliminates plaintext hardcoded secrets, and require administrators to change default or recovered passwords after upgrade. If the same credentials are shared across devices, treat them as compromised fleet-wide.