Critical Flaws in Silex SD-330AC and AMC Manager Demand Immediate Patching

911 words, ~4 min read

---
title: "Critical Flaws in Silex SD-330AC and AMC Manager Demand Immediate Patching"
short_title: "Silex SD-330AC and AMC Manager critical flaws"
description: "Silex Technology SD-330AC and AMC Manager plagued by 13 critical vulnerabilities, enabling remote code execution, DoS, and unauthorized access. Patch now."
author: "Vitus"
date: 2024-07-10
categories: [Cybersecurity, Vulnerabilities]
tags: [silex-technology, cve-2026, buffer-overflow, rce, cybersecurity]
score: 0.92
cve_ids: [CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32958, CVE-2015-5621, CVE-2026-32959, CVE-2026-32960, CVE-2026-32961, CVE-2026-32962, CVE-2024-24487, CVE-2026-32963, CVE-2026-32964, CVE-2026-32965]
---

## TL;DR
Silex Technology’s SD-330AC and AMC Manager are affected by 13 critical vulnerabilities, including stack-based and heap-based buffer overflows, missing authentication, and hard-coded cryptographic keys. Exploitation could lead to remote code execution (RCE), denial-of-service (DoS), and unauthorized configuration changes. Users must upgrade to firmware version 1.50 or later and disable vulnerable services to mitigate risks.

Main Content

### Introduction
Silex Technology, a global leader in connectivity solutions, has issued an urgent security advisory for its SD-330AC and AMC Manager products. A total of 13 vulnerabilities have been discovered, ranging from buffer overflows to missing authentication for critical functions. These flaws could allow attackers to execute arbitrary code, disrupt operations, or gain unauthorized access to sensitive configurations. Given the worldwide deployment of these devices, organizations must act swiftly to apply patches and implement mitigations.

### Key Points
- 13 vulnerabilities affect Silex Technology’s SD-330AC (≤1.42) and AMC Manager (≤5.0.2).
- Flaws include stack-based and heap-based buffer overflows, missing authentication, hard-coded cryptographic keys, and XSS vulnerabilities.
- Exploitation could lead to remote code execution (RCE), denial-of-service (DoS), and unauthorized configuration changes.
- CVSS scores range from 5.3 (Medium) to 9.8 (Critical), highlighting the severity of these issues.
- Patches are available: Upgrade to SD-330AC firmware 1.50+ or AMC Manager 5.1.0+.
- Mitigations include disabling HTTP/HTTPS and SNMP services and setting strong passwords for web interfaces.

Technical Details

#### Vulnerability Breakdown
The vulnerabilities in Silex Technology’s products can be categorized as follows:

1. Buffer Overflow Vulnerabilities
- CVE-2026-32955 (Stack-based Buffer Overflow): Allows attackers to execute arbitrary code with a CVSS score of 8.8 (High).
- CVE-2026-32956 (Heap-based Buffer Overflow): Enables RCE with a CVSS score of 9.8 (Critical).
- CVE-2026-32961 (Heap-based Buffer Overflow): Could cause a temporary DoS condition (CVSS 5.3).

2. Authentication and Cryptographic Flaws
- CVE-2026-32957 (Missing Authentication for Critical Function): Allows unauthenticated file uploads (CVSS 5.3).
- CVE-2026-32958 (Use of Hard-coded Cryptographic Key): Enables attackers to trick users into applying fake firmware updates (CVSS 6.5).
- CVE-2026-32959 (Use of a Broken or Risky Cryptographic Algorithm): Permits man-in-the-middle attacks to retrieve sensitive information (CVSS 5.9).
- CVE-2026-32965 (Insecure Default Configuration): Allows attackers to configure devices using default null passwords (CVSS 7.5).

3. Web and Configuration Vulnerabilities
- CVE-2026-32963 (Cross-site Scripting - XSS): Enables attackers to execute arbitrary scripts in users' browsers (CVSS 6.1).
- CVE-2026-32964 (CRLF Injection): Allows arbitrary configuration changes (CVSS 6.5).
- CVE-2024-24487 (Incorrect Privilege Assignment): Could lead to DoS via crafted UDP packets (CVSS 6.8).

4. Legacy Vulnerability
- CVE-2015-5621 (Dependency on Vulnerable Third-Party Component): Affects the SNMP service, leading to DoS conditions (CVSS 7.5).

### Impact Assessment
The vulnerabilities pose severe risks to organizations using Silex Technology’s SD-330AC and AMC Manager:

  • Remote Code Execution (RCE): Attackers could gain full control of affected devices, leading to data breaches or lateral movement within networks.
  • Denial-of-Service (DoS): Exploitation could disrupt critical operations, particularly in industries relying on uninterrupted connectivity.
  • Unauthorized Access: Missing authentication and hard-coded keys could allow attackers to alter device configurations or deploy malicious firmware.
  • Data Exposure: Vulnerabilities like CRLF injection and XSS could expose sensitive information or enable phishing attacks.

Given the global deployment of these devices, the potential for large-scale exploitation is significant, particularly in information technology and industrial sectors.

### Mitigation Steps
Silex Technology has released patches to address these vulnerabilities. Users are strongly advised to:

1. Upgrade Immediately:
- SD-330AC: Update to firmware version 1.50 or later.
- AMC Manager: Upgrade to version 5.1.0 or later.

2. Disable Vulnerable Services:
- HTTP/HTTPS: Disable if not required (mitigates CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963).
- SNMP: Disable to mitigate CVE-2015-5621.

3. Secure Web Interfaces:
- Set strong passwords for the settings web interface to mitigate CVE-2026-32958 and CVE-2026-32965.

4. Monitor for Exploitation:
- Implement network segmentation and firewalls to limit exposure.
- Use VPNs for remote access and ensure they are updated to the latest version.

For detailed guidance, refer to Silex Technology’s security advisory or JPCERT/CC’s vulnerability notes.

### Affected Systems
- Silex Technology SD-330AC (firmware versions ≤1.42).
- Silex Technology AMC Manager (versions ≤5.0.2).

## Conclusion
The discovery of 13 critical vulnerabilities in Silex Technology’s SD-330AC and AMC Manager underscores the importance of proactive cybersecurity measures. Organizations must patch affected systems immediately, disable unnecessary services, and implement strong authentication mechanisms to mitigate risks. Failure to act could result in remote code execution, DoS attacks, or unauthorized access, with potentially devastating consequences for global IT infrastructure.

Stay vigilant, monitor for updates, and prioritize security to safeguard against exploitation.

## References
[^1]: CISA. "ICSA-26-111-10 Silex Technology SD-330AC and AMC Manager". Retrieved 2024-07-10.
[^2]: Silex Technology. "Security Advisory 2026-001". Retrieved 2024-07-10.
[^3]: JPCERT/CC. "JVNVU94271449". Retrieved 2024-07-10.
[^4]: MITRE. "CWE-121: Stack-based Buffer Overflow". Retrieved 2024-07-10.

Related CVEs