CVE-2026-2491: Socomec DIRIS A-40 Authentication Bypass Allows Network-Adjacent Attacks
A critical authentication bypass vulnerability in the Socomec DIRIS A-40 power monitoring device's HTTP API allows network-adjacent attackers to gain unauthorized access without credentials.
A critical authentication bypass vulnerability has been disclosed in the Socomec DIRIS A-40, a widely deployed power monitoring device used in industrial and energy management environments. Tracked as CVE-2026-2491 and reported through the Zero Day Initiative (ZDI-26-129), the flaw resides in the device's HTTP API, which listens on TCP port 80 by default. An attacker positioned on the same network segment can exploit the vulnerability without any authentication, bypassing access controls entirely.
The vulnerability stems from a lack of authentication prior to allowing access to the web API's functionality. According to the advisory published by ZDI, the issue was discovered by researcher Dmitry "InfoSecDJ" Janushkevich of Trend Micro's Zero Day Initiative. The CVSS score for CVE-2026-2491 is 6.3 (medium severity), with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating low complexity and no required privileges or user interaction, though the attack vector is limited to adjacent networks adjacent to the target.
The Socomec DIRIS A-40 is a power monitoring and control device commonly deployed in industrial facilities, data centers, and commercial buildings to track electrical parameters. Because these devices are often connected to operational technology (OT) networks, an authentication bypass could allow attackers to tamper with power monitoring data, disrupt operations, or even pivot to other critical systems on the same network segment. The advisory notes that the device is typically accessible via TCP port 80, making it a potential entry point for lateral movement.
Socomec has released an update to address CVE-2026-2491. The vendor's advisory is available at their cybersecurity vulnerabilities page. Users of the DIRIS A-40 are strongly advised to apply the patch immediately. As a temporary mitigation, organizations should ensure that the device's web interface is not exposed to untrusted networks and that network segmentation limits access to only authorized management hosts.
The disclosure timeline shows that the vulnerability was reported to Socomec on March 11, 2025, with the coordinated public release occurring on February 25, 2026. This nearly year-long timeline is typical for responsible disclosure, allowing the vendor time to develop and distribute a fix before public details emerge. No evidence of active exploitation has been reported as of the advisory date has been reported, but the availability of technical details increases the risk of attackers developing exploits.
This vulnerability adds to a growing list of authentication bypass flaws in industrial control system (ICS) and IoT devices, where weak or absent authentication in web interfaces remains a persistent problem. The Socomec DIRIS A-40 case underscores the importance of securing management interfaces in OT environments, where legacy devices often lack modern security controls. Organizations using the DIRIS A-40 should prioritize patching and review their network architecture to minimize exposure.