CVE-2026-32955 Raw CVE debrief

Who should care

Administrators and operators using Silex Technology SD-330AC firmware 1.42 or earlier and AMC Manager 5.0.2 or earlier, especially where the management interface is exposed on networks used for operational or embedded-device administration.

Technical summary

The advisory describes a stack-based buffer overflow in SD-330AC and AMC Manager. CISA’s metadata rates the issue CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network-reachable attack potential with high confidentiality, integrity, and availability impact. The advisory also includes SSVCv2 notation E:N/A:N dated 2026-04-20. Remediation is available in SD-330AC firmware 1.50 or later and AMC Manager 5.1.0 or later; CISA also lists disabling HTTP/HTTPS service as a mitigation for this and related issues.

Defensive priority

High — patch or mitigate immediately.

Recommended defensive actions

• Upgrade SD-330AC to firmware 1.50 or later.
• Upgrade AMC Manager to version 5.1.0 or later.
• If you cannot patch immediately, disable HTTP/HTTPS service as CISA recommends for this advisory’s affected CVEs.
• Review exposure of device management interfaces and restrict access to trusted administrative networks.
• Validate whether any deployed devices match the affected version ranges: SD-330AC 1.42 or earlier and AMC Manager 5.0.2 or earlier.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-111-10 (source item: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-111-10.json) and the linked official references. The advisory states: a stack-based buffer overflow could allow arbitrary code execution on the device; affected versions are SD-330AC <=1.42 and AMC Manager <=5.0.2; fixes are SD-330AC firmware 1.50+ and AMC Manager 5.1.0+; and a mitigation is to disable HTTP/HTTPS service. The CVE and source publication timestamps used here are 2026-04-21T06:00:00.000Z.

Official resources