CVE-2026-40630

Critical

Published: 24 April 2026

Published

24 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 28.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly…

interact with sensitive configuration functions.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for logical access, directly addressing the CVE's improper access control enforcement that enables authentication bypass to sensitive configuration endpoints.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this critical access control vulnerability through patching as recommended in CISA advisories.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege for authorized accesses, limiting the scope of damage from any residual unauthorized interactions with configuration functions post-enforcement fixes.

Security SummaryAI

CVE-2026-40630 is a critical vulnerability in the web management interface of SenseLive X3050 devices, stemming from improper access control enforcement (CWE-288). It enables unauthorized access to certain configuration endpoints, allowing attackers to bypass the intended authentication mechanism. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of confidentiality, integrity, and availability.

An attacker requires only network access to the affected device to exploit this vulnerability. No privileges, user interaction, or special conditions are needed, enabling remote exploitation with low complexity. Successful exploitation allows direct interaction with sensitive configuration functions, potentially granting full control over the device's settings.

CISA's ICS Advisory ICSA-26-111-12, along with the corresponding CSAF document on GitHub, detail mitigation recommendations for this vulnerability. Security practitioners should consult these advisories and the vendor contact page at senselive.io/contact for patching instructions and additional guidance.

Details

CWE(s): CWE-288

Affected Products

senselive

x3500 firmware

1.523

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthorized remote access to the web management interface of a network-accessible device, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://senselive.io/contact
Product · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12
US Government Resource · ics-cert@hq.dhs.gov