Summary
Successful exploitation of these vulnerabilities could allow an attacker to take complete control of the device.
The following versions of SenseLive X3050 are affected:
- X3050 V1.523 (CVE-2026-40630, CVE-2026-25720, CVE-2026-35503, CVE-2026-39462, CVE-2026-27843, CVE-2026-40431, CVE-2026-40623, CVE-2026-27841, CVE-2026-40620, CVE-2026-35064, CVE-2026-25775)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | SenseLive | SenseLive X3050 | Authentication Bypass Using an Alternate Path or Channel, Insufficient Session Expiration, Use of Hard-coded Credentials, Insufficiently Protected Credentials, Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information, Missing Authorization, Cross-Site Request Forgery (CSRF) |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Water and Wastewater, Energy, Information Technology
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: India
Vulnerabilities
CVE-2026-40630
A vulnerability in the X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions.
Affected Products
SenseLive X3050
SenseLive
SenseLive X3050: V1.523
known_affected
Remediations
Mitigation
SenseLive did not respond to CISA’s requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact
https://senselive.io/contact
Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2026-25720
A vulnerability exists in the X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.
Affected Products
SenseLive X3050
SenseLive
SenseLive X3050: V1.523
known_affected
Remediations
Mitigation
SenseLive did not respond to CISA’s requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact
https://senselive.io/contact
Relevant CWE: CWE-613 Insufficient Session Expiration<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: