Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web API implementation, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23993.
AnalysisAI
Socomec DIRIS A-40 power monitoring devices contain an authentication bypass vulnerability in their HTTP API that allows network-adjacent attackers to gain unauthorized access without credentials. The vulnerability affects all versions of the DIRIS A-40 product due to lack of authentication enforcement on the web API listening on TCP port 80, enabling attackers to read sensitive data, modify configurations, and potentially disrupt power monitoring operations. This is a moderate-severity flaw (CVSS 6.3) with low attack complexity that poses real risk in industrial/operational technology environments where these devices are deployed.
Technical ContextAI
The Socomec DIRIS A-40 is a three-phase electrical power analyzer and monitoring device commonly deployed in industrial and commercial power distribution systems. The vulnerability exists in the HTTP API implementation (CWE-306: Missing Authentication Check) that handles REST API requests on TCP port 80. The root cause is the absence of authentication validation before granting access to API endpoints that control and report on power monitoring functionality. Unlike modern API security practices that implement token-based (OAuth2, JWT) or session-based authentication, this device's API exposes sensitive functionality—including potential configuration changes and data exfiltration—without any credential requirement. The network-adjacent attack vector indicates the attacker must be on the same network segment or have routing access to the device, limiting but not eliminating real-world exploitation risk in industrial settings where these devices often reside on dedicated or semi-isolated networks.
RemediationAI
Immediate remediation steps: (1) Consult Socomec's official advisory at https://emea.socomec.com/en/resource-center/resource-type/cyber-vulnerabilities-601 for patched firmware versions and upgrade instructions. (2) If patches are unavailable, implement network segmentation: restrict access to the DIRIS A-40 HTTP API (TCP port 80) to only authorized management stations and monitoring systems using firewall ACLs or network VLANs. (3) Deploy a reverse proxy or WAF (Web Application Firewall) in front of the device to enforce authentication at the network boundary. (4) Disable HTTP API access if only local management is required; use serial console or alternative protocols. (5) Monitor for unauthorized API access attempts; log and alert on unauthenticated requests to the device. (6) Implement VPN or secure tunneling for remote management access. (7) Prioritize patching in order: devices exposed to untrusted networks first, then internal networks. Vendor patch release timelines should be confirmed via the Socomec advisory link; if patches are delayed or unavailable, prioritize workaround implementation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12107