CVE-2026-1840 PUBLISHED

Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface

Assigner: icscert
Reserved: 03.02.2026 Published: 24.06.2026 Updated: 25.06.2026

The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Hubbell
Product	Aclara Metrum Cellular Web Interface
Versions	Default: unaffected affected from 0 to 2.1.0.105 (excl.)

Solutions

Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ .

CVE-2026-1840 PUBLISHED

Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface

Metrics

Product Status

Solutions

Credits

References

Problem Types