[Japanese]

JVNDB-2026-012056

Multiple vulnerabilities in silex technology SD-330AC and AMC Manager

Overview

SD-330AC and AMC Manager provided by silex technology, Inc. contain multiple vulnerabilities listed below.
  • Stack-based buffer overflow in processing the redirect URLs (CWE-121) - CVE-2026-32955
  • Heap-based buffer overflow in processing the redirect URLs (CWE-122) - CVE-2026-32956
  • Missing authentication for critical function on firmware maintenance (CWE-306) - CVE-2026-32957
  • Use of hard-coded cryptographic key (CWE-321) - CVE-2026-32958
  • Use of a broken or risky cryptographic algorithm (CWE-327) - CVE-2026-32959
  • Sensitive information in resource not removed before reuse (CWE-226) - CVE-2026-32960
  • Heap-based buffer overflow in packet data processing of sx_smpd (CWE-122) - CVE-2026-32961
  • Missing authentication for critical device setting function (CWE-306) - CVE-2026-32962
  • Reflected cross-site scripting (CWE-79) - CVE-2026-32963
  • CRLF injection (CWE-93) - CVE-2026-32964
  • Initialization of a resource with an insecure default (CWE-1188) - CVE-2026-32965
  • Dependency on vulnerable third-party component (CWE-1395) - CVE-2015-5621
  • Incorrect privilege assignment (CWE-266) - CVE-2024-24487
Francesco La Spina of Forescout Technologies reported these vulnerabilities to CISA ICS. At the request of CISA ICS, JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2026-32955

CVSS v3 Severity
Base Metrics:9.8 (Critical) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): High
  • Availability Impact(A): High
The above CVSS base scores have been assigned for CVE-2026-32956

CVSS v3 Severity
Base Metrics:5.3 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): Low
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32957

CVSS v3 Severity
Base Metrics:6.5 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): High
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32958

CVSS v3 Severity
Base Metrics:5.9 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): None
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32959

CVSS v3 Severity
Base Metrics:6.5 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): High
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32960

CVSS v3 Severity
Base Metrics:5.3 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): None
  • Availability Impact(A): Low
The above CVSS base scores have been assigned for CVE-2026-32961

CVSS v3 Severity
Base Metrics:5.3 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): Low
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32962

CVSS v3 Severity
Base Metrics:6.1 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact(C): Low
  • Integrity Impact(I): Low
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32963

CVSS v3 Severity
Base Metrics:6.5 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): Low
  • Availability Impact(A): Low
The above CVSS base scores have been assigned for CVE-2026-32964

CVSS v3 Severity
Base Metrics:7.5 (High) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): High
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-32965

CVSS v3 Severity
Base Metrics:7.5 (High) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): None
  • Availability Impact(A): High
The above CVSS base scores have been assigned for CVE-2015-5621

CVSS v3 Severity
Base Metrics:5.3 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): None
  • Integrity Impact(I): None
  • Availability Impact(A): Low
The above CVSS base scores have been assigned for CVE-2024-24487
Affected Products


silex technology
  • AMC Manager Ver.5.0.2 and earlier
  • SD-330AC Ver.1.42 and earlier

Impact

  • Arbitrary code may be executed on the device (CVE-2026-32955, CVE-2026-32956)
  • Arbitrary file may be uploaded on the device without authentication (CVE-2026-32957)
  • An administrative user may be directed to apply a fake firmware update (CVE-2026-32958)
  • Information in the traffic may be retrieved via man-in-the-middle attack (CVE-2026-32959)
  • An attacker may login to the device without knowing the password by sending a crafted packet (CVE-2026-32960)
  • Processing a crafted packet may cause a temporary denial-of-service (DoS) condition (CVE-2026-32961)
  • The device configuration may be altered without authentication (CVE-2026-32962)
  • When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser (CVE-2026-32963)
  • Processing some crafted configuration data may lead to arbitrary entries injected to the system configuration (CVE-2026-32964)
  • When the affected device is connected to the network with the initial (factory-default) configuration, the device can be configured with the null string password (CVE-2026-32965)
  • The old vulnerable version of net-snmp programs embedded in the device can be exploited by crafted packets, causing a denial-of-service (DoS) condition (CVE-2015-5621)
  • No authentication is required to reboot the affected device (CVE-2024-24487)
Solution

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the following versions to address this vulnerability.
  • SD-330AC firmware Ver.1.50 or later
  • AMC Manager Ver.5.1.0 or later
[Apply the Workaround]
CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32963
Disable HTTP/HTTPS service.
CVE-2026-32958, CVE-2026-32965
Set a password for the settings web interface.
CVE-2015-5621
Disable SNMP service.
Vendor Information

silex technology
CWE (What is CWE?)

  1. Insecure Default Initialization of Resource(CWE-1188) [Other]
  2. Stack-based Buffer Overflow(CWE-121) [Other]
  3. Heap-based Buffer Overflow(CWE-122) [Other]
  4. Dependency on Vulnerable Third-Party Component(CWE-1395) [Other]
  5. Sensitive Information in Resource Not Removed Before Reuse(CWE-226) [Other]
  6. Incorrect Privilege Assignment(CWE-266) [Other]
  7. Missing Authentication for Critical Function(CWE-306) [Other]
  8. Use of Hard-coded Cryptographic Key(CWE-321) [Other]
  9. Use of a Broken or Risky Cryptographic Algorithm(CWE-327) [Other]
  10. Cross-site Scripting(CWE-79) [Other]
  11. Improper Neutralization of CRLF Sequences ('CRLF Injection')(CWE-93) [Other]
CVE (What is CVE?)

  1. CVE-2015-5621
  2. CVE-2024-24487
  3. CVE-2026-32955
  4. CVE-2026-32956
  5. CVE-2026-32957
  6. CVE-2026-32958
  7. CVE-2026-32959
  8. CVE-2026-32960
  9. CVE-2026-32961
  10. CVE-2026-32962
  11. CVE-2026-32963
  12. CVE-2026-32964
  13. CVE-2026-32965
References

  1. JVN : JVNVU#94271449
Revision History

  • [2026/04/21]
      Web page was published

Date Public2026/04/20
Date First Published2026/04/21
Date Last Updated2026/04/21