{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32957", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-17T00:23:24.980Z", "datePublished": "2026-04-20T03:19:35.581Z", "dateUpdated": "2026-04-20T03:19:35.581Z"}, "containers": {"cna": {"affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"version": "Ver.1.42 and earlier", "status": "affected"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"version": "Ver.5.0.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue on firmware maintenance. Arbitrary file may be uploaded on the device without authentication."}], "problemTypes": [{"descriptions": [{"description": "Missing authentication for critical function", "lang": "en-US", "cweId": "CWE-306", "type": "CWE"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:19:35.581Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue on firmware maintenance. Arbitrary file may be uploaded on the device without authentication."}], "id": "CVE-2026-32957", "lastModified": "2026-04-20T04:16:39.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-20T04:16:39.093", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU94271449/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/en/2026-001"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T05:22:09.830463+00:00", "value": {"mitigation_remediation": ["Immediately apply any vendor-released firmware patch or update that addresses the missing authentication flaw.", "Restrict network access to the firmware maintenance interface by placing the device behind a firewall or only allowing management traffic from trusted IP addresses.", "Monitor device logs for suspicious file upload activity and configure alerts for unknown files uploaded to the firmware interface.", "If a patch is not yet available, disable the firmware maintenance functionality or isolate the device from untrusted networks."], "summary": {"action": "Patch Firmware", "impact": "Unauthenticated Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected systems are devices running Silex technology Inc.'s AMC Manager firmware and the SD\u2011330AC hardware. No specific firmware version ranges were released in the advisory, so all versions that contain the vulnerable interface are considered at risk until a patch is delivered.", "description_and_impact": "The flaw arises from a missing authentication check in the firmware maintenance interface of Silex technology Inc.'s AMC Manager and SD-330AC devices. Because the check is absent, an unauthenticated actor can upload an arbitrary file to the device. If the uploaded payload is interpreted as executable code or a script, the attacker can execute arbitrary commands on the device, effectively gaining remote control.\n\nThis absence of authentication directly maps to CWE\u2011306, a missing authentication weakness that enables unauthorized use of critical functions.\n\nThe vulnerability has a CVSS score of 6.9, signifying medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently widely exploited. Nonetheless, the remote, unauthenticated nature means that an attacker who can reach the firmware maintenance port could upload malicious files without privilege, leading to potential remote code execution and compromise of confidentiality, integrity, and availability.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.9, signifying medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not been documented. However, the flaw allows an attacker who can reach the firmware maintenance port to upload arbitrary files without authentication, affording a straight path to remote code execution. Once such a file is accepted, the attacker can execute arbitrary commands, creating a high impact threat to the device's confidentiality, integrity, and availability."}}}}, "created": "2026-04-20T05:30:44.129837+00:00", "title": "Unauthenticated File Upload in Silex AMC Manager and SD-330AC Firmware", "updated": "2026-04-20T05:30:44.129849+00:00", "vendors": []}