Cyber Resilience

CVE-2026-32956

Critical

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32956 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Silextechnology Sd-330Ac Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-32956 is a heap-based buffer overflow vulnerability (CWE-122) affecting the SD-330AC and AMC Manager products provided by silex technology, Inc. The flaw occurs in the processing of redirect URLs, which can lead to arbitrary code execution on the device. Published on 2026-04-20, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges required and no user interaction needed. Attackers can send specially crafted redirect URLs to trigger the buffer overflow, achieving arbitrary code execution on the affected device, potentially leading to full compromise.

Advisories detailing the issue and mitigation are available from the Japan Vulnerability Notes (JVN) at https://jvn.jp/en/vu/JVNVU94271449/ and silex technology at https://www.silex.jp/support/security-advisories/2026-001 and https://www.silex.jp/support/security-advisories/en/2026-001.

EU & UK References

Vulnerability details

SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow in redirect URL processing of a network-exposed device/management application directly enables initial access via exploitation of a public-facing application (T1190), resulting in arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32965Same product: Silextechnology Amc Manager
CVE-2026-32955Same product: Silextechnology Amc Manager
CVE-2025-53511Shared CWE-122
CVE-2026-20868Shared CWE-122
CVE-2026-0006Shared CWE-122
CVE-2026-22828Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-23317Shared CWE-122
CVE-2025-67896Shared CWE-122
CVE-2025-34523Shared CWE-122

Affected Assets

silextechnology
sd-330ac firmware
≤ 1.50
silextechnology
amc manager
≤ 5.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap-based buffer overflow vulnerability by identifying, patching, and deploying fixes for the affected SD-330AC and AMC Manager products.

prevent

Validates redirect URL inputs to prevent specially crafted inputs from triggering the heap buffer overflow leading to arbitrary code execution.

prevent

Implements memory protections such as ASLR and DEP to block arbitrary code execution even if the heap buffer overflow occurs.

References