Skip to main content

SenseLive X3050 CVE-2026-35064

| EUVDEUVD-2026-25358 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-24 icscert GHSA-vx53-3hhq-vppx
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 00:47 vuln.today
CVSS changed
Apr 24, 2026 - 00:22 NVD
7.5 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25358
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 24, 2026 - 00:04 nvd
HIGH 8.7

DescriptionCVE.org

A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices.

AnalysisAI

Unauthenticated network discovery in SenseLive X3050 management ecosystem exposes device presence, identifiers, and management interfaces to attackers on the same network segment. The vendor's management protocol fails to authenticate discovery functions (CWE-306), allowing rapid enumeration of all deployed X3050 units without credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating awareness in industrial control system environments. CVSS 8.7 reflects high confidentiality impact from network-based, low-complexity attacks requiring no privileges or user interaction.

Technical ContextAI

SenseLive X3050 is an industrial automation or monitoring device with a centralized management ecosystem. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the underlying management service exposes device discovery protocol functions without requiring authentication. This is a common design flaw in industrial protocols where device enumeration and service advertisement (similar to UPnP, mDNS, or proprietary discovery mechanisms) operate at the network layer without access controls. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation with low attack complexity and no privilege requirements. The CPE identifier indicates all versions of the X3050 product are affected, though no specific version range is provided in available data. This authentication bypass allows information disclosure (VC:H) without impacting integrity or availability.

RemediationAI

Contact SenseLive directly via https://senselive.io/contact for patch availability and remediation guidance, as no vendor-released patch version is confirmed in available data. CISA advisory ICSA-26-111-12 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12 may contain vendor-recommended mitigations. Implement network segmentation to isolate X3050 management traffic on dedicated VLANs or management networks, preventing attacker access to the network segment where discovery protocol operates - this compensating control directly addresses the AV:N vector by reducing network exposure. Deploy ingress/egress filtering on management network boundaries to block unauthorized discovery protocol traffic (identify specific UDP/TCP ports used by SenseLive management protocol from vendor documentation). Implement network access control (802.1X) on segments containing X3050 devices to authenticate endpoints before network access. Monitor network traffic for unexpected discovery protocol activity from unknown sources. These controls reduce attack surface but may complicate legitimate device provisioning and management workflows, requiring coordination with operational teams.

Share

CVE-2026-35064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy