Hubbell Aclara Metrum Cellular Web Interface

MonitorCVSS 7.5ICS-CERT ICSA-26-174-07Jun 23, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Aclara Metrum Cellular Web Interface contains an authentication bypass vulnerability (CWE-306) in versions prior to 2.1.0.105. Successful exploitation allows attackers to manipulate critical device settings and repeatedly disrupt operations, causing loss of communications to the device. The vulnerability requires only network access with no authentication or user interaction needed.

What this means

What could happen

An attacker with network access to the device could modify critical settings and repeatedly disrupt operations, causing the cellular meter to lose communications and stop reporting usage data.

Who's at risk

Water utilities, electric utilities, and gas utilities using Aclara Metrum Cellular meters for automated meter reading. This affects any organization relying on these devices for remote consumption data collection and device management.

How it could be exploited

An attacker on the network can reach the Aclara Metrum Cellular Web Interface without authentication and send requests to change device configuration or disable communications, disrupting normal meter operation and data transmission.

Prerequisites

Network access to the web interface port (typically port 80/443)
Device must be running firmware version below v2.1.0.105
No authentication required to exploit

remotely exploitableno authentication requiredlow complexityaffects critical infrastructure communicationsdevice disruption possible

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

Aclara Metrum Cellular Web Interface<v2.1.0.105No fix yet

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict network access to the device web interface using firewall rules; block all inbound traffic to the device except from authorized networks and management systems

HARDENINGEnsure the device is not directly accessible from the Internet; disable port forwarding or external access to the web interface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Aclara Metrum Cellular firmware to version 2.1.0.105 or later

CVEs (1)

CVE-2026-1840

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bfc1a9d5-4360-4580-b6a0-8d5fd11166ad

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.