Cyber Posture

CVE-2026-32956

Critical

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32956 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Silextechnology Sd-330Ac Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap-based buffer overflow vulnerability by identifying, patching, and deploying fixes for the affected SD-330AC and AMC Manager products.

SI-10 Information Input Validation good match
prevent

Validates redirect URL inputs to prevent specially crafted inputs from triggering the heap buffer overflow leading to arbitrary code execution.

SI-16 Memory Protection good match
prevent

Implements memory protections such as ASLR and DEP to block arbitrary code execution even if the heap buffer overflow occurs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated heap buffer overflow in redirect URL processing of a network-exposed device/management application directly enables initial access via exploitation of a public-facing application (T1190), resulting in arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

Deeper analysisAI

CVE-2026-32956 is a heap-based buffer overflow vulnerability (CWE-122) affecting the SD-330AC and AMC Manager products provided by silex technology, Inc. The flaw occurs in the processing of redirect URLs, which can lead to arbitrary code execution on the device. Published on 2026-04-20, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges required and no user interaction needed. Attackers can send specially crafted redirect URLs to trigger the buffer overflow, achieving arbitrary code execution on the affected device, potentially leading to full compromise.

Advisories detailing the issue and mitigation are available from the Japan Vulnerability Notes (JVN) at https://jvn.jp/en/vu/JVNVU94271449/ and silex technology at https://www.silex.jp/support/security-advisories/2026-001 and https://www.silex.jp/support/security-advisories/en/2026-001.

Details

CWE(s)
CWE-122

Affected Products

silextechnology
sd-330ac firmware
≤ 1.50
silextechnology
amc manager
≤ 5.1.0

CVEs Like This One

CVE-2026-32965Same product: Silextechnology Amc Manager
CVE-2026-32955Same product: Silextechnology Amc Manager
CVE-2025-53766Shared CWE-122
CVE-2025-48005Shared CWE-122
CVE-2026-2005Shared CWE-122
CVE-2025-67896Shared CWE-122
CVE-2026-22697Shared CWE-122
CVE-2025-65085Shared CWE-122
CVE-2025-34523Shared CWE-122
CVE-2026-20766Shared CWE-122

References