CISA Warns of Unauthenticated Access Flaw in Hubbell Aclara Metrum Cellular Web Interface
CISA disclosed CVE-2026-1840, a high-severity missing authentication vulnerability in Hubbell Aclara Metrum Cellular Web Interface that could let unauthenticated attackers alter critical device settings and trigger system restarts.
CISA has disclosed a high-severity vulnerability, tracked as CVE-2026-1840, in the Hubbell Aclara Metrum Cellular Web Interface. The flaw, which carries a CVSS v3.1 base score of 7.5, stems from a missing authentication for critical function (CWE-306) in versions prior to 2.1.0.105. Successful exploitation could allow unauthenticated attackers to manipulate critical device settings and repeatedly disrupt operations, potentially causing a loss of communications to the device.
The affected product is the Aclara Metrum Cellular Web Interface, a component used in energy sector infrastructure across the United States. The vulnerability exposes essential configuration settings, enabling attackers to alter operational parameters and trigger system restarts without any authentication. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device, posing significant risks to grid stability and reliability.
Hubbell has released firmware version 2.1.0.105 to remediate the issue. Users are strongly encouraged to update their firmware to this version to minimize network exposure and ensure that devices are not accessible from the internet. The firmware can be downloaded from the Aclara Connect portal. CISA also recommends that organizations locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, more secure methods such as Virtual Private Networks (VPNs) should be used, though VPNs themselves should be kept updated.
The vulnerability was reported to CISA by researcher Abhirup Konwar. As of the initial publication date of June 23, 2026, no known public exploitation specifically targeting this vulnerability has been reported to CISA. However, the absence of authentication on critical functions makes this an attractive target for threat actors seeking to disrupt energy infrastructure.
This advisory is part of CISA's ongoing effort to secure industrial control systems (ICS) in critical infrastructure sectors. The energy sector, in particular, has been a frequent target for both nation-state and financially motivated attackers. Vulnerabilities in cellular-connected devices like the Aclara Metrum can serve as entry points for broader network compromise or as direct vectors for denial-of-service attacks against grid communications.
Organizations using the affected product should prioritize patching and follow CISA's recommended practices for ICS cybersecurity, including defense-in-depth strategies and regular vulnerability assessments. CISA also encourages reporting any suspected malicious activity to help track and correlate incidents across the sector.