CISA dropped an advisory on June 23 for CVE-2026-1840, a missing-authentication hole in the Hubbell Aclara Metrum Cellular Web Interface that earns an 8.7 under CVSS 4.0. That is not a theoretical risk: an attacker exploiting this can alter device settings and force repeated reboots, causing a total loss of communications to the device. In the Energy sector, where these meters are deployed across the United States, that means remote disconnection from critical infrastructure.
The vulnerability lives in CWE-306: Missing Authentication for Critical Function. The web interface exposes essential configuration functions with no login required. I can hit those endpoints from the network, flip operational parameters, and trigger a restart cycle that leaves the device unresponsive. Hubbell's own advisory says the impact includes disrupting normal functionality and, if performed repeatedly, leads to loss of communications.
Unauthenticated Reset, Repeated Disruption
The advisory name "Missing Authentication for Critical Function" telegraphs the problem, but the concrete impact is what matters. No authentication means any system that can reach the interface on TCP port 80 or 443 (the advisory does not specify, but typical web interfaces) can execute the reset function. A deliberate attacker could script repeated requests, keeping the device in a reboot loop. For a meter that serves as a communication gateway, that loop cuts the utility's visibility and control.
CVSS 3.1 gives a 7.5 (HIGH), but CVSS 4.0 bumps it to 8.7 because the attack vector is network-based, complexity low, no privileges required, and availability impact is high. Confidentiality and integrity are not directly hit, but availability is the kill switch here.
Patch Now: Firmware 2.1.0.105
Hubbell's fix is firmware version 2.1.0.105, available through Aclara Connect (https://aclara.my.site.com/AclaraConnect/s/). The remediation instructions are clear: update the firmware and ensure devices are not reachable from the Internet. If you have these meters exposed, you are inviting an attacker to flip the kill switch remotely.
CISA also recommends isolating control system networks behind firewalls, using VPNs for remote access, and following the Defense-in-Depth strategies outlined in their ICS guidance. Abhirup Konwar reported the issue to CISA; no public exploits have been reported yet, but that is cold comfort given the triviality of the attack.
This vulnerability is a reminder that even basic hygiene - authentication on admin functions - is still missing in field-deployed ICS devices. The Energy sector needs to treat this as an immediate patching priority, not a routine bulletin. One unauthenticated reboot loop and a substation goes dark.
Source: Hubbell Aclara Metrum Cellular Web Interface
Domain: cisa.gov
Comments load interactively on the live page.