Skip to main content

SenseLive X3050 CVE-2026-40620

| EUVDEUVD-2026-25362 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-24 icscert GHSA-3jcw-ch7p-f8v8
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 00:45 vuln.today
CVSS changed
Apr 24, 2026 - 00:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25362
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 24, 2026 - 00:02 nvd
CRITICAL 9.3

DescriptionCVE.org

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.

AnalysisAI

SenseLive X3050's embedded management service grants full administrative control to unauthenticated remote attackers. The CVSS 4.0 score of 9.3 with network attack vector (AV:N), low complexity (AC:L), and no required privileges (PR:N) confirms this allows complete device compromise from any network-reachable host. CISA ICS Advisory ICSA-26-111-12 documents this vulnerability affecting industrial control system components, indicating potential operational technology (OT) environments are exposed. No authentication or authorization mechanisms protect the management interface, allowing arbitrary configuration changes, operational mode manipulation, and device state control through vendor or compatible clients.

Technical ContextAI

The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where SenseLive X3050's management service implements no authentication layer for administrative functions. The CPE identifier cpe:2.3:a:senselive:x3050 indicates this affects the application layer of the X3050 product line. Management services in embedded systems typically expose APIs or protocols (such as HTTP/HTTPS, Telnet, proprietary TCP services) for device configuration. In this case, the service binds to network-accessible interfaces and accepts connections from any source IP without credential verification. The CVSS 4.0 vector shows high impact to confidentiality, integrity, and availability (VC:H/VI:H/VA:H) with no impact to subsequent systems (SC:N/SI:N/SA:N), suggesting the vulnerability is contained to the device itself but grants complete control over that device. This architecture flaw is common in legacy industrial devices where security-by-obscurity or network segmentation was assumed rather than implemented authentication.

RemediationAI

No vendor-released patch identified at time of analysis based on available references. Organizations should immediately implement network-level compensating controls: isolate SenseLive X3050 devices on dedicated management VLANs with strict firewall rules permitting management connections only from specific authorized administrator workstations (source IP whitelisting). Deploy network access control (NAC) solutions requiring device authentication before VLAN assignment to prevent unauthorized access to management segments. Implement intrusion detection signatures to alert on unexpected connections to X3050 management service ports from unauthorized sources. If devices must be internet-facing or accessible from broader networks, deploy application-layer gateway proxies that enforce authentication before forwarding to the backend management service (introduces latency and single point of failure). Contact SenseLive directly via https://senselive.io/contact to request firmware updates addressing CWE-306 and inquire about authentication implementation timelines. Review CISA advisory ICSA-26-111-12 for any updated mitigation guidance. As a last resort for air-gapped environments, physically disconnect devices from all networks and manage only via direct serial/console connections (eliminates remote management capability). Organizations should inventory all X3050 deployments and assess which are network-exposed versus properly segmented.

Share

CVE-2026-40620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy