CISA flags Hubbell Aclara meter authentication flaw
A web interface that can restart field devices without credentials is not a paperwork vulnerability for utilities.
TL;DR
CISA issued ICSA-26-174-07 for CVE-2026-1840, a missing-authentication flaw in Hubbell Aclara Metrum Cellular Web Interface versions before 2.1.0.105. Energy utilities, municipal operators and contractors running affected meters should prioritize the firmware update. CISA says attackers could alter operational parameters and repeatedly disrupt operations, potentially causing loss of communications to the device; it reports no known public exploitation.
CVE-2026-1840 is the boring kind of industrial control system vulnerability that becomes serious precisely because it is boring: a critical function exposed without authentication. CISA says the Hubbell Aclara Metrum Cellular Web Interface lets an unauthenticated attacker alter essential configuration settings and trigger system restarts, with repeated disruption potentially causing loss of communications to the device.
For utilities and municipal operators, the instruction is simple. Identify Aclara Metrum Cellular Web Interface deployments below firmware version 2.1.0.105, update them, and keep the devices off the public internet. The advisory gives the flaw a CVSS v3.1 score of 7.5 and a CVSS v4.0 score of 8.7, both with network attack vectors and no privileges or user interaction required.
The unresolved operational question is reach. CISA’s write-up does not say whether exploitation requires a particular network position or whether exposed cellular deployments are reachable in ordinary production configurations. That distinction matters for triage, but it does not change the remediation call: missing authentication on energy-sector field infrastructure belongs ahead of routine patch backlog.
Published ·Deep Fathom