{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1840", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-03T16:50:25.254Z", "datePublished": "2026-06-24T19:47:29.212Z", "dateUpdated": "2026-06-25T13:14:07.184Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-06-24T19:47:29.212Z"}, "title": "Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "affected": [{"vendor": "Hubbell", "product": "Aclara Metrum Cellular Web Interface", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.0.105", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.</p>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-07"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-174-07.json"}, {"url": "https://aclara.my.site.com/AclaraConnect/s/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "solutions": [{"lang": "en", "value": "Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ .", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ ."}]}], "credits": [{"lang": "en", "value": "Abhirup Konwar", "type": "reporter"}], "source": {"advisory": "ICSA-26-174-07", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T13:13:58.959179Z", "id": "CVE-2026-1840", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T13:14:07.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface", "source": {"advisory": "ICSA-26-174-07", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Abhirup Konwar"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hubbell", "product": "Aclara Metrum Cellular Web Interface", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.0.105", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ .", "supportingMedia": [{"type": "text/html", "value": "Hubbell encourages users to update their firmware to v2.1.0.105 in order to minimize network exposure and ensure that devices are not accessible from the Internet. Users can download version 2.1.0.105 from AclaraConnect https://aclara.my.site.com/AclaraConnect/s/ .", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-07"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-174-07.json"}, {"url": "https://aclara.my.site.com/AclaraConnect/s/"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.", "supportingMedia": [{"type": "text/html", "value": "<p>The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-06-24T19:47:29.212Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T13:13:58.959179Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-25T13:14:02.971Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-1840", "state": "PUBLISHED", "dateUpdated": "2026-06-24T19:47:29.212Z", "dateReserved": "2026-02-03T16:50:25.254Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-06-24T19:47:29.212Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{}

{}