Cyber Resilience

CVE-2026-32965

High

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32965 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Silextechnology Sd-330Ac Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-32965 is an initialization of a resource with an insecure default vulnerability (CWE-1188) affecting SD-330AC and AMC Manager products provided by silex technology, Inc. Published on 2026-04-20T04:16:45.583, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The flaw occurs when an affected device is connected to the network in its initial factory-default configuration, enabling the device to be configured with a null string password.

A network-accessible attacker requires no privileges or user interaction to exploit this vulnerability. Exploitation allows the attacker to achieve high integrity impact by configuring the device with an empty password, potentially compromising its security controls.

Advisories detailing mitigations and patches are available from Japan's Vulnerability Notes at https://jvn.jp/en/vu/JVNVU94271449/ and silex technology at https://www.silex.jp/support/security-advisories/2026-001 and https://www.silex.jp/support/security-advisories/en/2026-001.

EU & UK References

Vulnerability details

Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial (factory-default) configuration, the device can be configured with…

more

the null string password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure factory-default null password on a network-reachable device directly enables unauthenticated configuration and control of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32956Same product: Silextechnology Amc Manager
CVE-2026-32955Same product: Silextechnology Amc Manager
CVE-2026-27662Shared CWE-1188
CVE-2026-31957Shared CWE-1188
CVE-2026-33376Shared CWE-1188
CVE-2025-69970Shared CWE-1188
CVE-2026-30805Shared CWE-1188
CVE-2025-56332Shared CWE-1188
CVE-2026-43581Shared CWE-1188
CVE-2026-35672Shared CWE-1188

Affected Assets

silextechnology
sd-330ac firmware
≤ 1.50
silextechnology
amc manager
≤ 5.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 requires establishing and enforcing secure configuration settings that prohibit null string passwords in factory-default device configurations.

prevent

IA-5 mandates management of authenticators to prevent the use of insecure defaults like null passwords on network-accessible devices.

prevent

CM-2 develops and maintains baseline configurations that replace insecure factory defaults with settings disallowing null passwords.

References