Skip to main content

Sd 330Ac EUVDEUVD-2026-23749

| CVE-2026-32956 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-04-20 jpcert GHSA-jwm2-xvrj-2mh2
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 20, 2026 - 04:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 04:22 vuln.today
cvss_changed
CVSS changed
Apr 20, 2026 - 04:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 20, 2026 - 04:09 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 04:00 euvd
EUVD-2026-23749
Analysis Generated
Apr 20, 2026 - 04:00 vuln.today
CVE Published
Apr 20, 2026 - 03:20 nvd
CRITICAL 9.3

DescriptionCVE.org

SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

AnalysisAI

Remote code execution in silex technology SD-330AC and AMC Manager allows unauthenticated network attackers to execute arbitrary code via heap-based buffer overflow when processing redirect URLs. CVSS 9.3 critical severity with attack vector AV:N/AC:L/PR:N/UI:N indicates trivial exploitation against internet-facing devices. No public exploit identified at time of analysis, though JPCERT coordination suggests vendor-confirmed vulnerability. EPSS data not available; real-world risk depends on internet exposure of affected silex wireless bridge and management software installations.

Technical ContextAI

This vulnerability affects silex technology's SD-330AC (a wireless bridge/access point device) and AMC Manager (device management software). The flaw is a heap-based buffer overflow (CWE-122) triggered during redirect URL processing, likely in HTTP/HTTPS handling code that parses Location headers or similar redirect mechanisms. Heap overflows occur when data copied to dynamically allocated memory exceeds buffer boundaries, corrupting adjacent heap structures. Unlike stack overflows, heap exploitation can overwrite function pointers, virtual tables, or heap metadata to achieve code execution. The redirect URL attack vector suggests the vulnerability lies in web server components or administrative interfaces that handle URL redirection, making it exploitable through crafted HTTP requests without prior authentication.

RemediationAI

Apply vendor-released patches detailed in silex technology security advisory 2026-001 available at https://www.silex.jp/support/security-advisories/en/2026-001. Exact patched firmware versions for SD-330AC and AMC Manager software releases are specified in the advisory; prioritize upgrading internet-facing installations immediately. If patching cannot be completed within 24-48 hours, implement these compensating controls: (1) Remove SD-330AC devices and AMC Manager interfaces from public internet exposure by placing behind firewall with strict IP whitelisting for administrative access only - eliminates AV:N attack vector but requires VPN for remote management. (2) Disable HTTP/HTTPS redirect functionality in device configuration if operationally feasible - may break legitimate redirect-based workflows but prevents exploitation of the specific vulnerable code path. (3) Deploy intrusion prevention signatures to detect malformed redirect URL patterns in HTTP requests targeting silex devices - effective against automated exploitation but bypassable with obfuscation. Note that compensating controls do not eliminate the vulnerability and should be temporary measures only.

CVE-2026-32955 HIGH
8.7 Apr 20

Stack-based buffer overflow in silex technology's SD-330AC (Ver.1.42 and earlier) and AMC Manager (Ver.5.0.2 and earlier

CVE-2026-32965 HIGH
8.7 Apr 20

SD-330AC wireless LAN modules and AMC Manager devices from silex technology allow unauthenticated remote attackers to mo

CVE-2026-32959 HIGH
8.2 Apr 20

Weak cryptographic implementation in Silex Technology SD-330AC wireless LAN adapters (v1.42 and earlier) and AMC Manager

CVE-2026-32960 HIGH
7.1 Apr 20

Authentication bypass in silex technology SD-330AC (≤1.42) and AMC Manager (≤5.0.2) allows remote attackers to gain unau

CVE-2026-32957 MEDIUM
6.9 Apr 20

Unauthenticated arbitrary file upload in Silex Technology SD-330AC and AMC Manager firmware maintenance functions allows

CVE-2026-32962 MEDIUM
6.9 Apr 20

SD-330AC and AMC Manager by Silex Technology lack authentication controls on critical configuration functions, allowing

CVE-2026-32964 MEDIUM
6.9 Apr 20

CRLF injection in Silex Technology SD-330AC and AMC Manager allows unauthenticated remote attackers to inject arbitrary

CVE-2026-32961 MEDIUM
6.9 Apr 20

Heap-based buffer overflow in Silex SD-330AC and AMC Manager packet processing allows remote unauthenticated attackers t

CVE-2026-32958 MEDIUM
6.9 Apr 20

Hard-coded cryptographic keys in Silex Technology SD-330AC and AMC Manager enable attackers to forge firmware updates th

CVE-2026-32963 MEDIUM
5.1 Apr 20

Reflected cross-site scripting (XSS) in Silex Technology SD-330AC and AMC Manager allows remote attackers to execute arb

Share

EUVD-2026-23749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy