HTTP API Authentication Bypass Vulnerability in Socomec DIRIS A-40 Power Monitoring Device
CVE-2026-2491

6.3MEDIUM

Key Information:

Vendor: Socomec
Status: Diris A-40
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-2491?

The Socomec DIRIS A-40 power monitoring device has a vulnerability in its HTTP API that enables network-adjacent attackers to bypass authentication. This flaw arises from the lack of necessary authentication checks within the web API's implementation, which typically listens on TCP port 80. As a result, unauthorized individuals can access the device's functionalities, potentially leading to security breaches. It is crucial for organizations using these devices to assess their security posture and implement necessary measures to mitigate such risks. For further details, visit the vendor's advisory.

Affected Version(s)

DIRIS A-40 1.8.1

References

https://www.zerodayinitiative.com/advisories/ZDI-26-129/

x_research-advisory

https://emea.socomec.com/en/resource-center/resource-type...

vendor-advisory

CVSS V3.0

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Feb 13, 2026

CVE-2026-2491 Data

JSON