Description
A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.
Published: 2026-04-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Full Device Compromise
Action: Contact Vendor
AI Analysis

Impact

A SenseLive X3050 remote management service suffers from a missing authentication flaw that permits any host on the network to retrieve or upload firmware images. The service does not verify user privileges, check the integrity of the uploaded images, or confirm the authenticity of the firmware. If an attacker substitutes legitimate firmware with a malicious image, they can gain complete control of the device, compromising confidentiality, integrity, and availability of the entire system.

Affected Systems

All SenseLive X3050 devices that use the default remote management interface are potentially affected. The advisory does not list specific firmware versions, so any deployment using the remote management service is considered vulnerable.

Risk and Exploitability

The advisory assigns a CVSS score of 9.3, indicating a high severity vulnerability. The EPSS score is reported as less than 1%, reflecting a low but non‑zero current exploitation probability, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw from any host that can reach the remote management endpoint, making the attack vector network‑based. Because no vendor patch is publicly available, the risk remains high until a remediation or configuration countermeasure is applied.

Generated by OpenCVE AI on April 28, 2026 at 14:29 UTC.

Remediation

Vendor Solution

SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact

OpenCVE Recommended Actions

  • Immediately contact SenseLive through their support channel to request a firmware update or further mitigation guidance.
  • Restrict network access to the X3050’s remote management service by placing the device behind a firewall or VPN, allowing only trusted management hosts to reach it.
  • Configure firewall or access‑control rules to block or limit requests to the firmware update endpoints from all non‑whitelisted hosts.
  • If the device permits disabling the firmware update functionality, consider turning it off to eliminate the vulnerable path.

Generated by OpenCVE AI on April 28, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive
Senselive x3050
Vendors & Products Senselive
Senselive x3050

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.
Title SenseLive X3050 Missing authentication for critical function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Senselive X3050
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T12:16:24.207Z

Reserved: 2026-04-14T15:57:15.003Z

Link: CVE-2026-25775

cve-icon Vulnrichment

Updated: 2026-04-24T12:16:19.103Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T00:16:26.757

Modified: 2026-04-24T14:39:56.310

Link: CVE-2026-25775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses