Critical RCE and Default Password Flaws Disclosed in Silex SD-330AC and AMC Manager
Silex Technology's SD-330AC and AMC Manager were disclosed with two serious vulnerabilities that expose devices to remote compromise and unauthorized reconfiguration. The most severe issue, CVE-2026-32956, is a heap-based buffer overflow in redirect URL processing that can enable arbitrary code execution over the network without authentication or user interaction. The flaw is tracked as CWE-122 and carries a critical CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating full compromise of confidentiality, integrity, and availability is possible.
A second flaw, CVE-2026-32965, affects devices left in their factory-default state and allows them to be configured with a null string password, creating an insecure initialization condition. Classified as CWE-1188, the vulnerability is network-accessible and primarily threatens device integrity, with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issues were reported through JPCERT/CC and published via JVN and Silex security advisories in Japanese and English, putting administrators on notice to review exposed deployments and initialization practices.
Timeline
Apr 21, 2026
CISA issues ICS advisory for multiple Silex SD-330AC and AMC Manager flaws
On 2026-04-21, CISA published ICS advisory ICSA-26-111-10 covering multiple vulnerabilities affecting Silex SD-330AC version 1.42 or earlier and AMC Manager version 5.0.2 or earlier. The advisory summarized severe impacts including remote code execution, denial of service, unauthorized configuration changes, and information disclosure, credited Francesco La Spina of Forescout as reporter, and said no known public exploitation had been reported.
Apr 20, 2026
CVE-2026-32959 recorded for Silex SD-330AC and AMC Manager
On 2026-04-20, CVE-2026-32959 was recorded for Silex SD-330AC and AMC Manager as a weak cryptography vulnerability. The flaw could allow traffic information disclosure via a man-in-the-middle attack, and references were published in JVN and Silex security advisories.
Apr 20, 2026
Silex publishes fixed versions and mitigations for SD-330AC and AMC Manager
On 2026-04-20, Silex disclosed that multiple vulnerabilities affecting SD-330AC and AMC Manager should be remediated by updating to SD-330AC firmware 1.50 or later and AMC Manager 5.1.0 or later. The advisory also recommended interim mitigations including disabling HTTP/HTTPS or SNMP services and setting a password on the settings web interface.
Apr 20, 2026
JVN and Silex advisories publish details for the two vulnerabilities
By 2026-04-20, public references for the vulnerabilities were available through JVN and Silex security advisories in Japanese and English. These advisories documented the affected products and technical classifications for the reported flaws.
Apr 20, 2026
CVE-2026-32955 recorded for Silex SD-330AC and AMC Manager
On 2026-04-20, CVE-2026-32955 was recorded as a stack-based buffer overflow in redirect URL processing affecting Silex SD-330AC and AMC Manager. The flaw could allow arbitrary code execution, and public references were added to JVN and Silex security advisories.
Apr 20, 2026
JPCERT/CC receives report of CVE-2026-32965 default password flaw
On 2026-04-20, JPCERT/CC received a report of an insecure default initialization vulnerability affecting Silex SD-330AC and AMC Manager. In a factory-default network-connected state, the device could be configured with a null string password, creating a high-integrity risk.
Apr 20, 2026
JPCERT/CC receives report of CVE-2026-32956 in Silex SD-330AC and AMC Manager
On 2026-04-20, JPCERT/CC received a report of a heap-based buffer overflow in redirect URL processing affecting Silex SD-330AC and AMC Manager. The flaw could allow arbitrary code execution over the network without privileges or user interaction.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
2 more from sources like silex.jp and cvefeed high severity
Related Stories
Unpatched IDC SFX2100 Satellite Receiver Vulnerabilities Expose Critical Infrastructure to Remote Compromise
A security researcher publicly disclosed **20+ vulnerabilities** in the **International Data Casting (IDC) SFX2100 satellite receiver**, a device reported as deployed across **U.S. Department of Defense**, **European Space Agency**, and other critical infrastructure environments, after the vendor allegedly failed to respond to repeated disclosure attempts over several months. Reported issues span common embedded-device failure modes including **hardcoded credentials**, **unauthenticated remote code execution**, **OS command injection**, **path traversal**, and overly permissive filesystem configurations, with CVEs assigned across **CVE-2026-28769 through CVE-2026-29128**. One highlighted high-impact issue, **CVE-2026-28775**, reportedly enables **unauthenticated command execution as `root`** by abusing **SNMP** management functionality combined with a default read-write community string of `private`. Additional detail on the credential exposure risk is captured in **CVE-2026-29128**, which describes **world-readable routing daemon configuration files** (e.g., `zebra.conf`, `bgpd.conf`, `ospfd.conf`, `ripd.conf`) that are root-owned but readable by all users and contain **plaintext/hardcoded passwords** (including privileged “enable” credentials). This condition can enable credential reuse and lateral movement, potentially helping an attacker establish or deepen access within networks where the SFX2100 is deployed, and it compounds other reported weaknesses such as undocumented default accounts (e.g., `admin`, `monitor`, `user`, `xd`) allegedly sharing a weak password (`12345`).
1 months ago
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago
SenseLive X3050 Flaws Allow Unauthenticated Admin Access and Persistent Device Lockout
Multiple high-severity vulnerabilities in the **SenseLive X3050** industrial gateway expose its web and embedded management interfaces to unauthenticated or improperly authorized remote access. The issues tracked as `CVE-2026-40620`, `CVE-2026-40630`, `CVE-2026-40623`, and `CVE-2026-27843` include **missing authentication for critical functions**, **authentication bypass via an alternate path or channel**, and **missing authorization**. Collectively, the flaws allow attackers with network reachability to access sensitive configuration endpoints, gain administrative control of the configuration application, and change operational modes, service ports, watchdog timers, reconnect intervals, IP settings, and other critical parameters. The reported impact spans confidentiality, integrity, and availability, with CVSS scoring indicating network-exploitable, low-complexity attacks and high-severity outcomes. Successful exploitation can destabilize the gateway, cause persistent denial of service, and in the case of `CVE-2026-27843`, lock the device into a state that also disrupts connected **RS-485 downstream systems**. Recovery may be especially difficult because the X3050 reportedly lacks a physical reset button, requiring specialized console access for a factory reset after destructive configuration changes.
1 weeks ago