Cyber Resilience

CVE-2026-40630

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0071 49.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40630 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Senselive X3500 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40630 is a critical vulnerability in the web management interface of SenseLive X3050 devices, stemming from improper access control enforcement (CWE-288). It enables unauthorized access to certain configuration endpoints, allowing attackers to bypass the intended authentication mechanism. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of confidentiality, integrity, and availability.

An attacker requires only network access to the affected device to exploit this vulnerability. No privileges, user interaction, or special conditions are needed, enabling remote exploitation with low complexity. Successful exploitation allows direct interaction with sensitive configuration functions, potentially granting full control over the device's settings.

CISA's ICS Advisory ICSA-26-111-12, along with the corresponding CSAF document on GitHub, detail mitigation recommendations for this vulnerability. Security practitioners should consult these advisories and the vendor contact page at senselive.io/contact for patching instructions and additional guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly…

more

interact with sensitive configuration functions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthorized remote access to the web management interface of a network-accessible device, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27841Same product: Senselive X3500
CVE-2026-35503Same product: Senselive X3500
CVE-2026-40620Same product: Senselive X3500
CVE-2026-40623Same product: Senselive X3500
CVE-2026-27843Same product: Senselive X3500
CVE-2026-39462Same product: Senselive X3500
CVE-2026-35064Same product: Senselive X3500
CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288

Affected Assets

senselive
x3500 firmware
1.523

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for logical access, directly addressing the CVE's improper access control enforcement that enables authentication bypass to sensitive configuration endpoints.

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this critical access control vulnerability through patching as recommended in CISA advisories.

prevent

AC-6 enforces least privilege for authorized accesses, limiting the scope of damage from any residual unauthorized interactions with configuration functions post-enforcement fixes.

References