On April 21, 2026, CISA published ICS advisory ICSA-26-111-10 disclosing thirteen vulnerabilities affecting the Silex Technology SD-330AC wireless serial device server and AMC Manager centralized device management platform. The flaws range from critical unauthenticated remote code execution to authentication bypasses, hard-coded cryptographic keys, cross-site scripting, and insecure default configurations. The most severe issue, CVE-2026-32956, carries a CVSS v3.1 base score of 9.8 and allows a remote attacker to execute arbitrary code on the device without any authentication or user interaction.
The vulnerabilities span stack and heap buffer overflows in the redirect URL parsing logic, missing authentication on firmware upload and configuration endpoints, hard-coded cryptographic keys permitting fake firmware to be pushed to the device, broken cryptographic algorithms exposing management traffic to man-in-the-middle retrieval, CRLF injection in configuration processing, reflected cross-site scripting in the web interface, and a factory-default null password. One of the thirteen CVEs is CVE-2015-5621, a pre-existing integer-overflow flaw in the bundled net-snmp library for which public exploit code has been available since 2018. Another, CVE-2024-24487, applies to the related Silex DS-600 product line and triggers a denial-of-service via UDP EXEC REBOOT SYSTEM packets. All SD-330AC firmware releases prior to 1.50 and all AMC Manager releases prior to 5.1.0 are affected.
The SD-330AC is a wireless serial device server widely deployed in industrial environments to bridge RS-232 and RS-485 field devices — PLCs, flow meters, HMI panels, and protective relays — onto wireless networks. Because many of these legacy serial endpoints carry live process control traffic and provide engineering access to production equipment, compromise of the SD-330AC effectively grants an attacker a foothold at Purdue Level 2 or below. An unauthenticated attacker exploiting CVE-2026-32956 can take full control of the device, intercept or manipulate serial traffic, pivot onto adjacent OT segments, and potentially disrupt physical process operations.
CVE-2026-32955, with a CVSS v3.1 score of 8.8 and CVSS v4.0 score of 8.7, is a stack-based buffer overflow (CWE-121) in the redirect URL processing logic of both the SD-330AC firmware and AMC Manager. An attacker who can reach the device's management interface can craft a malicious redirect URL that overflows the return-address region of the parsing routine, redirecting execution into attacker-supplied shellcode and yielding arbitrary code execution with the device's privilege context.
CVE-2026-32956, with a CVSS v3.1 score of 9.8 and CVSS v4.0 score of 9.3, is the most severe flaw in this advisory set: a heap-based buffer overflow (CWE-122) in the same redirect URL processing path. The vulnerability is reachable over the network by an unauthenticated attacker with no user interaction, and successful exploitation yields arbitrary code execution. The attack complexity is low, privileges required are none, and the impact on confidentiality, integrity, and availability is rated high on both scoring systems.
CVE-2026-32957, with a CVSS v3.1 score of 5.3 and CVSS v4.0 score of 6.9, is a missing authentication flaw (CWE-306) in the firmware upload function. An attacker can upload an arbitrary file to the device without presenting any credentials, enabling malicious firmware replacement or staging of attacker-controlled binaries that the device may later execute during update or maintenance operations.
CVE-2026-32958, with a CVSS v3.1 score of 6.5 and CVSS v4.0 score of 6.9, stems from the use of a hard-coded cryptographic key (CWE-321) embedded in the firmware image. Because the signing key is identical across all deployed units, an attacker who extracts it from any device can craft a forged firmware image whose signature will validate, and an administrator following normal update procedures may unknowingly apply the malicious image.
CVE-2015-5621, with a CVSS v3.1 score of 7.5, is a long-standing integer overflow in the snmp_pdu_parse function of the bundled net-snmp library versions 5.7.2 and earlier. A malicious SNMP PDU can cause the parser to fail to clean up varBind variables, producing a denial-of-service condition or, under specific memory layouts, arbitrary code execution. Public proof-of-concept code has been available since 2018 (Exploit-DB 45547), and the flaw is well known to opportunistic scanners.
CVE-2026-32959, with a CVSS v3.1 score of 5.9 and CVSS v4.0 score of 8.2, reflects the use of a broken or risky cryptographic algorithm (CWE-327) in the device's management protocol. An attacker positioned between the operator workstation and the device can decrypt or retrieve session content, including credentials and configuration data, through a man-in-the-middle attack. The elevated v4.0 rating reflects the practical severity now that cryptanalysis against the algorithm is routine.
CVE-2026-32960, with a CVSS v3.1 score of 6.5 and CVSS v4.0 score of 7.1, is an authentication bypass arising from sensitive information not being cleared from reused internal resources (CWE-226). A crafted packet can coerce the device into treating the attacker's session as already authenticated, granting login access without the password being supplied.
CVE-2026-32961, with a CVSS v3.1 score of 5.3 and CVSS v4.0 score of 6.9, is a heap-based buffer overflow (CWE-122) in the sx_smpd packet-processing component. A single crafted packet is sufficient to trigger a temporary denial-of-service condition, taking the wireless serial bridge offline and severing the data path between the attached serial devices and the controlling systems.
CVE-2026-32962, with a CVSS v3.1 score of 5.3 and CVSS v4.0 score of 6.9, is a missing authentication flaw (CWE-306) covering the configuration interface. Device configuration — including network parameters, serial mode, encryption settings, and authentication policy — can be altered by a remote attacker without credentials, providing a direct path to converting the device into an attacker-controlled pivot.
CVE-2024-24487, with a CVSS v3.1 score of 6.8, is an improper access control flaw (CWE-284) in the Silex DS-600 firmware version 1.4.1. A remote attacker can transmit a crafted UDP packet containing an EXEC REBOOT SYSTEM command, causing the device to reboot and producing a denial-of-service condition. Although the DS-600 is not the same hardware as the SD-330AC, it is co-cited by CISA because the management surface shares common code.
CVE-2026-32963, with a CVSS v3.0 score of 6.1 and CVSS v4.0 score of 5.1, is a reflected cross-site scripting vulnerability (CWE-79) in the web interface. An authenticated administrator who follows a malicious link will execute attacker-supplied JavaScript in their browser under the device's origin, enabling session theft or CSRF-style reconfiguration.
CVE-2026-32964, with a CVSS v3.1 score of 6.5 and CVSS v4.0 score of 6.9, is a CRLF injection flaw (CWE-93) in the configuration data parser. Crafted configuration input can introduce arbitrary additional entries into the device's system configuration, enabling persistent backdoors, altered access-control lists, or changed logging destinations.
CVE-2026-32965, with a CVSS v3.1 score of 7.5 and CVSS v4.0 score of 8.7, is an insecure default initialization (CWE-1188) in which the SD-330AC and AMC Manager ship with a null-string administrator password. Any unit placed on the network with factory defaults can be fully administered by any unauthenticated network-adjacent attacker until the initial password is manually set.
The SD-330AC is routinely deployed as the wireless ingress for serial-attached field equipment including PLCs, power meters, protective relays, HMI panels, and legacy engineering workstation connections. Unauthenticated remote code execution on such a device allows an attacker to hold or modify the serial traffic flowing through it — injecting false sensor values, suppressing alarms, or blocking engineering write commands — with operational consequences that can include process upsets, safety interlock bypass, and loss of situational awareness in the control room. AMC Manager exposure amplifies the blast radius: a single compromise of the management server can be used to push malicious firmware or configuration to every enrolled device simultaneously.
The bundled insecure defaults, weak cryptography, and authentication bypasses materially violate the segmentation, secure communication, and authentication control objectives in ISA/IEC 62443-3-3 (SR 1.1, SR 1.2, SR 3.1, SR 4.1), NIST SP 800-82r3, and the CIP-005 and CIP-007 requirements for BES Cyber Assets. Organizations subject to TSA Security Directive Pipeline-2021-02C, the EU NIS2 directive, or U.S. state water-sector rules may face disclosure obligations if Silex devices are found to be exposed to routable networks without the published mitigations applied. Auditors will treat deployed firmware below SD-330AC 1.50 or AMC Manager 5.1.0 as an open finding once this advisory is referenced.
Silex Technology and CISA have published the following recommended actions. Organizations should apply them in order of the highest-severity CVEs addressed.
1. Upgrade SD-330AC firmware to version 1.50 or later and AMC Manager to version 5.1.0 or later on every enrolled device; the updates remediate all thirteen CVEs covered by ICSA-26-111-10.
2. Until the firmware upgrade is complete, disable the HTTP and HTTPS management services on the device to eliminate the reachable path for CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963.
3. Change every SD-330AC unit from the factory-default null-string administrator password immediately, and verify that no production unit retains the default credential; this neutralizes CVE-2026-32958 and CVE-2026-32965.
4. Isolate the SD-330AC and AMC Manager management plane behind a dedicated management VLAN or jump host, restricting TCP/80, TCP/443, and the proprietary sx_smpd and SNMP ports to a short list of authorized engineering workstations.
5. Enable egress restriction and passive monitoring on the OT network segment hosting the devices so that unexpected outbound traffic, firmware retrieval from untrusted hosts, or anomalous SNMP PDUs can be detected and investigated.
Organizations that cannot apply the firmware update during the next maintenance window should plan for compensating monitoring and restricted access as a bridge until the patch can be deployed.
1898 & Co. has reviewed ICSA-26-111-10 and the underlying Silex Technology advisory and identified the affected product families — the SD-330AC and AMC Manager — within inventories our Managed Threat Protection and Response for OT service covers for industrial, energy, and critical manufacturing clients. Detection content covering the authentication-bypass traffic pattern, the heap-overflow redirect URL signature, and the sx_smpd denial-of-service pattern has been staged for delivery into client CrowdStrike and Datadog workspaces.
Our consulting practice routinely assesses the placement of wireless serial device servers in ICS environments and documents them as part of network architecture and segmentation reviews. Clients engaged in active Purdue-model segmentation projects will receive an advisory bulletin identifying every SD-330AC or AMC Manager asset that currently sits outside a protected management enclave, together with a recommended architecture update prioritizing isolation of these devices before the firmware update window.
For clients requesting deeper engagement, 1898 & Co. threat hunters are prepared to execute the accompanying threat hunt plan against CrowdStrike Falcon telemetry, Datadog log and process data, Wireshark captures from the OT network segment, and exports from Claroty CTD, Dragos, Nozomi, Armis, Tenable OT, and Forescout eyeInspect platforms already in client environments. The hunt focuses on pre-patch exposure windows, indicators of redirect-URL exploitation, and anomalous SNMP PDU traffic consistent with CVE-2015-5621 opportunistic scanning.