Description
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.
Published: 2026-04-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Contact Vendor
AI Analysis

Impact

The defect causes the web management interface to perform authentication entirely on the client side, using hard‑coded credentials embedded in browser scripts. An attacker who can reach the login page can discover these values and gain administrative access without needing a valid server‑side account. This enables full control of the device, compromising confidentiality, integrity, and availability of the system.

Affected Systems

SenseLive X3050

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the present time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation is straightforward for anyone able to open the web interface; no special privileges or exploits are required beyond basic network access. Attackers use the exposed login page to extract hard‑coded credentials and authenticate as an administrator.

Generated by OpenCVE AI on April 28, 2026 at 14:34 UTC.

Remediation

Vendor Solution

SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact

OpenCVE Recommended Actions

  • Contact SenseLive for remediation guidance or an updated firmware image
  • Restrict access to the web management interface to trusted IP ranges or a VPN tunnel
  • Enable logging and regularly review authentication events for suspicious activity

Generated by OpenCVE AI on April 28, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive x3500
Senselive x3500 Firmware
CPEs cpe:2.3:h:senselive:x3500:-:*:*:*:*:*:*:*
cpe:2.3:o:senselive:x3500_firmware:1.523:*:*:*:*:*:*:*
Vendors & Products Senselive x3500
Senselive x3500 Firmware

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive
Senselive x3050
Vendors & Products Senselive
Senselive x3050

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.
Title SenseLive X3050 Use of Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Senselive X3050 X3500 X3500 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T13:51:40.131Z

Reserved: 2026-04-14T16:05:54.153Z

Link: CVE-2026-35503

cve-icon Vulnrichment

Updated: 2026-04-24T13:51:36.824Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:28.143

Modified: 2026-04-28T19:33:20.857

Link: CVE-2026-35503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses