CVE-2026-2491 MEDIUM

CVE-2026-2491: Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability

Vendor Socomec
Product DIRIS A-40
Weakness CWE-306 · Missing auth
Published March 13, 2026
Last update March 16, 2026

CVSS base score

6.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web API implementation, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23993.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 16, 2026 Record updated