Description
The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A lack of authentication protects the web interface of the Hubbell Aclara Metrum Cellular device. This weakness allows an attacker to change critical configuration settings or restart the device without permission. The resulting unauthorized changes can interrupt normal device operations and, if repeated, can cause a loss of communications with the meter.

Affected Systems

Hubbell’s Aclara Metrum Cellular Web Interface, versions prior to firmware 2.1.0.105. The vulnerability is present in all earlier firmware releases until the recommended update is applied.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Exploitation is straightforward over the Internet because the web interface accepts requests without authentication, and no other mitigating controls are reported. The vulnerability is not listed in the CISA KEV catalog, but the lack of authentication suggests a high likelihood of exploitation if the interface is reachable from the network.

Generated by OpenCVE AI on June 24, 2026 at 21:37 UTC.

Remediation

Vendor Solution

Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ .

OpenCVE Recommended Actions

  • Update the unit firmware to version 2.1.0.105 from AclaraConnect
  • Lock down the web interface by allowing access only from trusted networks or VPN connections
  • Continuously monitor the device’s configuration for unauthorized changes and restore secure settings if altered

Generated by OpenCVE AI on June 24, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.
Title Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-24T19:47:29.212Z

Reserved: 2026-02-03T16:50:25.254Z

Link: CVE-2026-1840

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function