{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32956", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-17T00:23:24.980Z", "datePublished": "2026-04-20T03:20:01.225Z", "dateUpdated": "2026-04-20T03:20:01.225Z"}, "containers": {"cna": {"affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"version": "Ver.1.42 and earlier", "status": "affected"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"version": "Ver.5.0.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device."}], "problemTypes": [{"descriptions": [{"description": "Heap-based buffer overflow", "lang": "en-US", "cweId": "CWE-122", "type": "CWE"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:20:01.225Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device."}], "id": "CVE-2026-32956", "lastModified": "2026-04-20T04:16:34.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-20T04:16:34.810", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU94271449/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/en/2026-001"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T05:51:02.414347+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware or software update from Silex that addresses the buffer\u2011overflow flaw in redirect\u2011URL processing.", "Restrict or block external access to the device\u2019s management and network interfaces to limit opportunities for attackers to deliver malicious redirect URLs.", "If a patch is not yet available, disable or limit redirect\u2011URL functionality on the device so that untrusted URLs are ignored."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Silex Technology, Inc.\u2019s AMC Manager and SD\u2011330AC products. No specific version numbers are listed, so all releases that contain the redirect\u2011URL handling routine may be impacted until a fix is applied.", "description_and_impact": "An overflow occurs in the device\u2019s heap when it processes redirect URLs, which provides a path for an attacker to inject arbitrary code and execute it with the device\u2019s privileges. Based on the description, it is inferred that an attacker can craft a malicious redirect URL that triggers the buffer overflow and runs arbitrary code. The flaw is a classic heap\u2011based buffer overflow identified as CWE\u2011122, and the impact is the potential for full compromise of the device.", "risk_and_exploitability": "The CVSS score of 9.3 classifies the issue as high severity, indicating a significant threat if exploited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the lack of these metrics does not lower the risk. Based on the description, it is inferred that an attacker can exploit the flaw over the network by sending a crafted redirect URL to the device, after which arbitrary code runs with the device\u2019s privileges. The high CVSS score and the nature of the vulnerability suggest that exploitation could lead to complete system compromise, lateral movement, and data exfiltration."}}}}, "created": "2026-04-20T06:00:08.099718+00:00", "title": "Heap\u2011Based Buffer Overflow in Redirect URL Processing Allows Arbitrary Code Execution", "updated": "2026-04-20T06:00:08.099730+00:00", "vendors": []}