CVE-2026-40620
Published: 24 April 2026
Summary
CVE-2026-40620 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Senselive X3500 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses and prohibits permitting full administrative control without identification or authentication on the SenseLive config application.
Requires unique identification and authentication of users before granting access to the embedded management service, preventing unauthenticated administrative modifications.
Mandates authorization, restrictions, and monitoring for remote access to the management service, blocking unauthenticated connections from any reachable host.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides unauthenticated network access to a critical management service on a publicly reachable device, directly enabling initial access through exploitation of a public-facing application.
NVD Description
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of…
more
critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.
Deeper analysisAI
CVE-2026-40620 is a vulnerability in SenseLive X3050’s embedded management service, particularly the SenseLive config application, that permits full administrative control without any authentication or authorization. The service accepts management connections from any reachable host, allowing unrestricted modification of critical configuration parameters, operational modes, and device state using a vendor-supplied or compatible client. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).
Any network-accessible attacker can exploit this vulnerability without requiring privileges or user interaction. By connecting to the management service, they can achieve complete administrative access, enabling them to alter device configurations, change operational modes, and manipulate the overall device state, potentially leading to full compromise of the affected SenseLive X3050 device.
Mitigation guidance is provided in official advisories, including CISA ICS Advisory ICSA-26-111-12 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12), the corresponding CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json), and vendor contact information (https://senselive.io/contact).
Details
- CWE(s)