CVE-2026-32956 Raw CVE debrief

Who should care

Asset owners, administrators, and security teams responsible for Silex Technology SD-330AC deployments and AMC Manager environments should treat this as urgent, especially in OT/ICS-adjacent networks where device firmware and management services are exposed.

Technical summary

CISA describes the flaw as a heap-based buffer overflow in Silex Technology SD-330AC and AMC Manager. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-exploitable issue with no privileges or user interaction required and potential impact to confidentiality, integrity, and availability. The advisory ties remediation to firmware/software updates and also notes a mitigation to disable HTTP/HTTPS service for CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963.

Defensive priority

Urgent

Recommended defensive actions

• Upgrade SD-330AC firmware to version 1.50 or later.
• Upgrade AMC Manager to version 5.1.0 or later.
• If immediate patching is not possible, disable HTTP/HTTPS service as directed in the advisory.
• Review exposure of affected devices and restrict management access to trusted administrative networks.
• Apply CISA ICS recommended practices and monitor for abnormal device behavior after remediation.

Evidence notes

Evidence is drawn from the CISA CSAF advisory ICSA-26-111-10 and its references. The advisory was published on 2026-04-21 and explicitly states: (1) a heap-based buffer overflow exists in Silex Technology SD-330AC and AMC Manager, (2) the vulnerability could allow arbitrary code execution on the device, (3) affected versions are SD-330AC firmware <= 1.42 and AMC Manager <= 5.0.2, and (4) fixes are SD-330AC firmware 1.50+ and AMC Manager 5.1.0+. The supplied data also includes a CVSS 3.1 vector of 9.8/Critical and no KEV listing.

Official resources