Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated, low-complexity network access to critical functions (PR:N/AC:L/AV:N); impact is restart/disruption only, so A:H with C:N and I:N.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without restriction. Such unauthorized changes can disrupt normal functionality and, if performed repeatedly, may lead to a loss of communications to the device.
AnalysisAI
Missing authentication in the Aclara Metrum Cellular Web Interface (a Hubbell/Aclara cellular communications module used in utility smart-grid metering) lets remote attackers reach critical system functions without any credentials. Per the CVSS:4.0 vector (PR:N/UI:N) an unauthenticated network attacker can read and modify operational configuration and force device restarts, and repeated restarts can sever device communications - a pure availability impact (VA:H, no confidentiality or integrity loss). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only hard prerequisite is network reachability to the Aclara Metrum Cellular Web Interface and the absence of authentication on its configuration and restart functions - the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no credentials, no user interaction, and no special attack requirements against the default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:4.0 score is 8.7 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:N, indicating trivially easy, unauthenticated, no-interaction network exploitation - the access barrier is essentially zero. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can route to the device's web interface (e.g., via an exposed or poorly segmented cellular/management network) sends direct HTTP requests to the unauthenticated configuration and restart endpoints - no login, no user interaction, and low complexity per the CVSS vector. By repeatedly altering operational parameters and triggering restarts, the attacker keeps the meter module offline, causing a sustained loss of communications. … |
| Remediation | No vendor-released patch version is identified in the supplied data; consult CISA advisory ICSA-26-174-07 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-07) and the Aclara support portal (https://aclara.my.site.com/AclaraConnect/s/) for the current fixed firmware/build and apply it once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Aclara Metrum Cellular devices and restrict network access to the web interface via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39058
GHSA-gx8p-xc64-fg2f