Cyber Posture

CVE-2026-32965

High

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0004 11.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32965 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Silextechnology Sd-330Ac Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match
prevent

CM-6 requires establishing and enforcing secure configuration settings that prohibit null string passwords in factory-default device configurations.

IA-5 Authenticator Management good match
prevent

IA-5 mandates management of authenticators to prevent the use of insecure defaults like null passwords on network-accessible devices.

CM-2 Baseline Configuration good match
prevent

CM-2 develops and maintains baseline configurations that replace insecure factory defaults with settings disallowing null passwords.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Insecure factory-default null password on a network-reachable device directly enables unauthenticated configuration and control of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial (factory-default) configuration, the device can be configured with…

more

the null string password.

Deeper analysisAI

CVE-2026-32965 is an initialization of a resource with an insecure default vulnerability (CWE-1188) affecting SD-330AC and AMC Manager products provided by silex technology, Inc. Published on 2026-04-20T04:16:45.583, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The flaw occurs when an affected device is connected to the network in its initial factory-default configuration, enabling the device to be configured with a null string password.

A network-accessible attacker requires no privileges or user interaction to exploit this vulnerability. Exploitation allows the attacker to achieve high integrity impact by configuring the device with an empty password, potentially compromising its security controls.

Advisories detailing mitigations and patches are available from Japan's Vulnerability Notes at https://jvn.jp/en/vu/JVNVU94271449/ and silex technology at https://www.silex.jp/support/security-advisories/2026-001 and https://www.silex.jp/support/security-advisories/en/2026-001.

Details

CWE(s)
CWE-1188

Affected Products

silextechnology
sd-330ac firmware
≤ 1.50
silextechnology
amc manager
≤ 5.1.0

CVEs Like This One

CVE-2026-32956Same product: Silextechnology Amc Manager
CVE-2026-32955Same product: Silextechnology Amc Manager
CVE-2025-69970Shared CWE-1188
CVE-2026-31957Shared CWE-1188
CVE-2026-33037Shared CWE-1188
CVE-2025-56332Shared CWE-1188
CVE-2026-24148Shared CWE-1188
CVE-2026-25894Shared CWE-1188
CVE-2025-25271Shared CWE-1188
CVE-2026-28775Shared CWE-1188

References