Skip to main content

SenseLive X3050 CVE-2026-40431

| EUVDEUVD-2026-25361 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-04-23 icscert GHSA-49v9-j5ff-rj5w
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 00:48 vuln.today
CVSS changed
Apr 24, 2026 - 00:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25361
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 23, 2026 - 23:56 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information.

AnalysisAI

SenseLive X3050 web management interface transmits all administrative communication including authentication credentials and configuration data over unencrypted HTTP, allowing network-adjacent attackers to intercept sensitive operational information without authentication or user interaction. The vulnerability affects all versions of the X3050 and is classified as information disclosure with confirmed CISA ICS advisory coverage.

Technical ContextAI

The SenseLive X3050 is an industrial control system device that relies on HTTP (unencrypted, plaintext) for its web-based management interface rather than HTTPS (encrypted). This violates the security principle of protecting sensitive data in transit, specifically addressing CWE-319 (Cleartext Transmission of Sensitive Information). The affected product uses the standard HTTP protocol which transmits all traffic including authentication credentials, session tokens, and device configuration parameters in plaintext across the network. An attacker positioned on the same network segment (or with network access via routing/switching) can passively capture this traffic using basic packet sniffing tools without any special technical capability, as HTTP provides no encryption or integrity protection.

RemediationAI

Implement HTTPS encryption for all web management interfaces by enabling TLS/SSL on the X3050 device and enforcing encrypted communication. Contact SenseLive directly via https://senselive.io/contact to obtain firmware updates or configuration guidance that enables HTTPS support and disables HTTP access to the management interface. As immediate compensating controls pending vendor remediation, implement network segmentation to restrict access to the X3050 management interface to a dedicated, isolated administrative network or VPN; configure network access control lists or firewall rules to permit management traffic only from authorized administrator workstations; and deploy network monitoring to detect and alert on unencrypted HTTP traffic to the X3050 device. These controls reduce the attack surface by limiting who can intercept management traffic, though they do not eliminate the underlying cleartext transmission weakness. Full remediation requires vendor-provided HTTPS capability.

Share

CVE-2026-40431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy