Skip to main content

SenseLive X3050 CVE-2026-35503

| EUVDEUVD-2026-25359 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-04-23 icscert GHSA-44q2-xjg6-chh9
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 00:45 vuln.today
CVSS changed
Apr 24, 2026 - 00:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25359
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 23, 2026 - 23:50 nvd
CRITICAL 9.3

DescriptionCVE.org

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.

AnalysisAI

Client-side authentication bypass in SenseLive X3050's web management interface allows remote unauthenticated attackers to gain full administrative access by extracting hardcoded credentials from browser-executed JavaScript. The vulnerability enables complete compromise of device management with zero technical barriers (CVSS 9.3, AV:N/AC:L/PR:N). CISA ICS-CERT has published an advisory, indicating this affects operational technology environments where administrative access to industrial sensors could enable process manipulation or monitoring disruption.

Technical ContextAI

This vulnerability stems from a critical authentication anti-pattern (CWE-798: Use of Hard-coded Credentials) where the SenseLive X3050 web management interface implements authentication logic entirely in client-side JavaScript. The login mechanism relies on hardcoded credentials or authentication tokens embedded in browser-executed scripts rather than performing server-side credential verification. When a user accesses the login page, the authentication parameters are delivered to the browser where they can be extracted through simple inspection of JavaScript source code or network traffic. This architectural flaw violates fundamental security principles that authentication decisions must occur on trusted server-side components, not within attacker-controllable client environments. The CPE identifier (cpe:2.3:a:senselive:x3050) indicates this affects the SenseLive X3050 product line, an industrial monitoring device commonly deployed in operational technology (OT) and critical infrastructure environments.

RemediationAI

Organizations must immediately restrict network access to SenseLive X3050 web management interfaces as an emergency compensating control while awaiting vendor remediation. Implement strict network segmentation to prevent any untrusted network access to the management interface - place devices behind firewalls allowing access only from dedicated management VLANs or jump hosts with IP address whitelisting. Deploy application-layer authentication proxies (such as reverse proxies with OAuth/SAML enforcement) in front of the vulnerable interface to add server-side authentication that the device lacks natively, though this adds operational complexity and potential performance impact. Monitor all access attempts to X3050 management interfaces through network traffic analysis and log correlation to detect exploitation attempts characterized by successful authentication without corresponding legitimate credential use. Contact SenseLive directly via https://senselive.io/contact to request emergency patch timeline and interim security guidance. Review the complete CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12 for additional vendor-specific mitigations. For devices that cannot be isolated, consider temporarily disabling the web management interface entirely if alternative management methods (serial console, local configuration) are available, accepting the operational trade-off of reduced remote manageability for elimination of critical exposure.

Share

CVE-2026-35503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy