Skip to main content

SenseLive X3050 CVE-2026-25720

| EUVDEUVD-2026-25348 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-24 ics-cert@hq.dhs.gov GHSA-hjc2-p4mc-rcpr
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 24, 2026 - 00:48 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 00:22 euvd
EUVD-2026-25348
Analysis Generated
Apr 24, 2026 - 00:22 vuln.today
CVE Published
Apr 24, 2026 - 00:16 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability exists in SenseLive

X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.

AnalysisAI

Improper session lifetime enforcement in SenseLive X3050's web management interface allows attackers with access to a previously authenticated session to maintain administrative access without re-authentication, potentially enabling unauthorized configuration changes or information disclosure. The vulnerability affects the product's session management mechanism, permitting extended session validity beyond legitimate user activity windows. CVSS 6.9 indicates moderate risk; exploitation requires prior session compromise but no special configuration.

Technical ContextAI

SenseLive X3050 is an industrial control system device with a web-based management interface. The vulnerability stems from CWE-613 (Insufficient Session Expiration), a session management flaw where the application fails to enforce proper session timeout policies or adequately validate session state during user interactions. The web interface likely maintains authenticated session tokens (cookies or similar mechanisms) without enforcing expiration thresholds or re-authentication challenges for sensitive operations. This is particularly critical in ICS/OT environments where administrative sessions control device configuration, potentially affecting grid stability or sensor network integrity.

RemediationAI

Contact SenseLive via senselive.io/contact for patch availability and specific remediation guidance, as no vendor-released patch version is confirmed in available data. Implement session timeout policies on the X3050 device: configure maximum session lifetime to a defensible threshold (e.g., 15-30 minutes of inactivity for administrative sessions, shorter for high-privilege operations), enforce re-authentication for sensitive administrative functions (configuration changes, user management), and deploy network segmentation to restrict web management interface access to trusted administrative networks only, using firewall rules or VLANs to isolate the device from untrusted segments. Enable session logging and audit trails to detect anomalous administrative activity. Monitor CISA ICS Advisory ICSA-26-111-12 for patched firmware versions and vendor updates. These compensating controls reduce but do not eliminate risk if prior session compromise has occurred.

Share

CVE-2026-25720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy