Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information.
AnalysisAI
SenseLive X3050 web management interface transmits all administrative communication including authentication credentials and configuration data over unencrypted HTTP, allowing network-adjacent attackers to intercept sensitive operational information without authentication or user interaction. The vulnerability affects all versions of the X3050 and is classified as information disclosure with confirmed CISA ICS advisory coverage.
Technical ContextAI
The SenseLive X3050 is an industrial control system device that relies on HTTP (unencrypted, plaintext) for its web-based management interface rather than HTTPS (encrypted). This violates the security principle of protecting sensitive data in transit, specifically addressing CWE-319 (Cleartext Transmission of Sensitive Information). The affected product uses the standard HTTP protocol which transmits all traffic including authentication credentials, session tokens, and device configuration parameters in plaintext across the network. An attacker positioned on the same network segment (or with network access via routing/switching) can passively capture this traffic using basic packet sniffing tools without any special technical capability, as HTTP provides no encryption or integrity protection.
RemediationAI
Implement HTTPS encryption for all web management interfaces by enabling TLS/SSL on the X3050 device and enforcing encrypted communication. Contact SenseLive directly via https://senselive.io/contact to obtain firmware updates or configuration guidance that enables HTTPS support and disables HTTP access to the management interface. As immediate compensating controls pending vendor remediation, implement network segmentation to restrict access to the X3050 management interface to a dedicated, isolated administrative network or VPN; configure network access control lists or firewall rules to permit management traffic only from authorized administrator workstations; and deploy network monitoring to detect and alert on unencrypted HTTP traffic to the X3050 device. These controls reduce the attack surface by limiting who can intercept management traffic, though they do not eliminate the underlying cleartext transmission weakness. Full remediation requires vendor-provided HTTPS capability.
Unauthenticated remote attackers can retrieve and replace firmware on SenseLive X3050 industrial control devices via the
SenseLive X3050's embedded management service grants full administrative control to unauthenticated remote attackers. Th
Client-side authentication bypass in SenseLive X3050's web management interface allows remote unauthenticated attackers
Authentication bypass in SenseLive X3050 web management interface allows remote unauthenticated attackers to gain admini
Remote unauthenticated attackers can permanently disable SenseLive X3050 industrial gateways and connected RS-485 downst
Unauthenticated network discovery in SenseLive X3050 management ecosystem exposes device presence, identifiers, and mana
Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victim
Unauthorized configuration tampering in SenseLive X3050 web management interface allows authenticated attackers to set c
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25361
GHSA-49v9-j5ff-rj5w