Description
A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems.
Published: 2026-04-23
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via authentication bypass
Action: Contact Vendor
AI Analysis

Impact

A flaw in the SenseLive X3050 web management interface permits alteration of critical configuration parameters without authentication or server‑side validation, exploiting an authentication bypass weakness (CWE‑306). This allows an attacker with web access to set unsupported recovery mechanisms and network values, which can lock the device. Because the device lacks a physical reset button, recovery requires console access and a factory reset, resulting in denial of service to the gateway and all downstream RS‑485 systems.

Affected Systems

The vulnerability affects all SenseLive X3050 units; no specific firmware or hardware revisions are identified, so all current or prior deployments may be impacted.

Risk and Exploitability

With a CVSS score of 9.2, this is a critical vulnerability. The EPSS score of <1% reflects a low current exploitation probability, but the straightforward attack vector—remote web access without authentication—makes it highly exploitable in the right environment. The issue is not yet in the CISA KEV catalog. Exploitation would permanently deny service to the gateway and connected systems, potentially disrupting critical industrial processes.

Generated by OpenCVE AI on April 28, 2026 at 20:26 UTC.

Remediation

Vendor Solution

SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact

OpenCVE Recommended Actions

  • Reach out to SenseLive via their contact page for a security patch or instructions.
  • If a patch is not available, restrict access to the web management interface to trusted IP addresses or block it entirely using network or firewall rules.
  • Plan for a factory reset by having console access ready, and consider isolating the device from critical network segments until a fix is applied.

Generated by OpenCVE AI on April 28, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive x3500
Senselive x3500 Firmware
CPEs cpe:2.3:h:senselive:x3500:-:*:*:*:*:*:*:*
cpe:2.3:o:senselive:x3500_firmware:1.523:*:*:*:*:*:*:*
Vendors & Products Senselive x3500
Senselive x3500 Firmware

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive
Senselive x3050
Vendors & Products Senselive
Senselive x3050

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems.
Title SenseLive X3050 Missing authentication for critical function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Senselive X3050 X3500 X3500 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T13:10:40.862Z

Reserved: 2026-04-14T16:05:54.167Z

Link: CVE-2026-27843

cve-icon Vulnrichment

Updated: 2026-04-24T13:10:36.600Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:27.123

Modified: 2026-04-28T19:32:43.943

Link: CVE-2026-27843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses