Cyber Resilience

CVE-2026-40620

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40620 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Senselive X3500 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-40620 is a vulnerability in SenseLive X3050’s embedded management service, particularly the SenseLive config application, that permits full administrative control without any authentication or authorization. The service accepts management connections from any reachable host, allowing unrestricted modification of critical configuration parameters, operational modes, and device state using a vendor-supplied or compatible client. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).

Any network-accessible attacker can exploit this vulnerability without requiring privileges or user interaction. By connecting to the management service, they can achieve complete administrative access, enabling them to alter device configurations, change operational modes, and manipulate the overall device state, potentially leading to full compromise of the affected SenseLive X3050 device.

Mitigation guidance is provided in official advisories, including CISA ICS Advisory ICSA-26-111-12 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12), the corresponding CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json), and vendor contact information (https://senselive.io/contact).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of…

more

critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability provides unauthenticated network access to a critical management service on a publicly reachable device, directly enabling initial access through exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27843Same product: Senselive X3500
CVE-2026-35064Same product: Senselive X3500
CVE-2026-35503Same product: Senselive X3500
CVE-2026-27841Same product: Senselive X3500
CVE-2026-40630Same product: Senselive X3500
CVE-2026-40623Same product: Senselive X3500
CVE-2026-39462Same product: Senselive X3500
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306

Affected Assets

senselive
x3500 firmware
1.523

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses and prohibits permitting full administrative control without identification or authentication on the SenseLive config application.

prevent

Requires unique identification and authentication of users before granting access to the embedded management service, preventing unauthenticated administrative modifications.

preventdetect

Mandates authorization, restrictions, and monitoring for remote access to the management service, blocking unauthenticated connections from any reachable host.

References