CVE-2026-40630
Published: 24 April 2026
Summary
CVE-2026-40630 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Senselive X3500 Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40630 is a critical vulnerability in the web management interface of SenseLive X3050 devices, stemming from improper access control enforcement (CWE-288). It enables unauthorized access to certain configuration endpoints, allowing attackers to bypass the intended authentication mechanism. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of confidentiality, integrity, and availability.
An attacker requires only network access to the affected device to exploit this vulnerability. No privileges, user interaction, or special conditions are needed, enabling remote exploitation with low complexity. Successful exploitation allows direct interaction with sensitive configuration functions, potentially granting full control over the device's settings.
CISA's ICS Advisory ICSA-26-111-12, along with the corresponding CSAF document on GitHub, detail mitigation recommendations for this vulnerability. Security practitioners should consult these advisories and the vendor contact page at senselive.io/contact for patching instructions and additional guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25350
Vulnerability details
A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly…
more
interact with sensitive configuration functions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthorized remote access to the web management interface of a network-accessible device, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for logical access, directly addressing the CVE's improper access control enforcement that enables authentication bypass to sensitive configuration endpoints.
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this critical access control vulnerability through patching as recommended in CISA advisories.
AC-6 enforces least privilege for authorized accesses, limiting the scope of damage from any residual unauthorized interactions with configuration functions post-enforcement fixes.