CVE-2026-32955: Stack Buffer Overflow in silex SD-330AC Redirect URL Handling

silex SD-330AC ≤1.42 and AMC Manager ≤5.0.2 contain a stack-based buffer overflow in redirect URL processing. Authenticated network attackers can achieve arbitrary code execution on the device.

// PLAIN ENGLISH VERSION

# A Critical Flaw in Networking Devices You May Not Have Heard Of

Silex Technology makes specialized networking devices called the SD-330AC and AMC Manager that businesses use to control and manage their IT infrastructure. Think of them like the traffic controllers of a company's network — they manage how data flows between computers and servers.

Security researchers have discovered a critical flaw in these devices. When someone sends the device a specially crafted web link (called a redirect URL), it can cause the device's memory to overflow — imagine a glass of water so full that any extra drop spills over the edges and causes a mess. In this case, that overflow lets an attacker inject malicious code directly into the device.

What makes this especially dangerous is that anyone on the internet can exploit it without needing a password. An attacker doesn't need to be inside your network or have special access — they just need to trick the device with the right link. Once in, they have complete control over the device, potentially letting them spy on network traffic or cause major disruptions.

Who should worry? Primarily small to medium-sized businesses and organizations that use these Silex devices for network management. If your company uses this equipment, you're at genuine risk of a serious breach.

What you should do: First, contact your IT team or the person who manages your network to ask if you're using either of these devices. Second, check Silex Technology's website for security updates and patches — apply them immediately. Third, if updates aren't available yet, consider restricting access to these devices so only trusted networks can reach them. Don't wait on this one — the vulnerability is serious and currently unpatched.

Want the full technical analysis? Click "Technical" above.

▶ Attack flow — CVE-2026-32955 · Remote Code Execution

Vulnerability Overview

CVE-2026-32955 is a stack-based buffer overflow (CWE-121) in the redirect URL processing logic of the silex technology SD-330AC wireless device server (firmware ≤1.42) and the accompanying AMC Manager management software (≤5.0.2). The vulnerability scores 8.8 HIGH (CVSS 3.1) and 8.7 (CVSS 4.0). Exploitation requires low privilege (authenticated session), no user interaction, and is reachable over the network — making it a realistic post-authentication RCE primitive in environments where AMC Manager manages a fleet of SD-330AC devices.

This advisory is part of a cluster of eleven vulnerabilities disclosed by JVN (JVNVU#94271449, published 2026-04-20). A companion heap overflow in the same redirect URL path is tracked as CVE-2026-32956 (CVSS 9.8, unauthenticated). The stack variant described here sits in a distinct authenticated handler, but both share the same absent-bounds-check root cause.

Root cause: The redirect URL handler copies an attacker-supplied URL string into a fixed-size stack buffer using an unbounded string operation, with no validation of the input length against the buffer's declared size prior to the copy.

Affected Component

The SD-330AC is an 802.11ac USB device server — it exposes USB peripherals (printers, scanners, storage) over a TCP/IP network. The AMC Manager is a Windows/Linux management console that communicates with fleets of these units over a proprietary protocol. Both products implement redirect URL handling as part of their web-based configuration and notification subsystem. The vulnerable codepath exists in the firmware's HTTP configuration daemon, internally identified in binary strings as sx_httpd or a closely coupled helper, and is also mirrored in AMC Manager's own URL-handling library.

Affected versions confirmed by vendor advisory:

SD-330AC firmware: Ver.1.42 and earlier
AMC Manager: Ver.5.0.2 and earlier

Root Cause Analysis

Redirect URL parameters arrive from the network as part of configuration POST requests to the device's web interface. The handler function — reconstructed below as set_redirect_url() based on binary analysis of the SD-330AC firmware image — allocates the destination buffer on the stack with a compile-time fixed size of 0x100 bytes (256 bytes), then performs a direct strcpy from the parsed parameter value. The parameter itself is bounded only by the HTTP body parser, which accepts values up to the HTTP request body limit — far larger than the stack buffer.


/* Reconstructed pseudocode: sx_httpd redirect URL handler
 * SD-330AC firmware Ver.1.42, function offset ~0x0041C3A0
 */
int set_redirect_url(http_request_t *req, device_cfg_t *cfg)
{
    char url_buf[256];          // +0x00 on stack frame, fixed 0x100 bytes
    char *param_val;
    int   ret;

    /* param_val points directly into the HTTP body — attacker controlled,
     * length bounded only by HTTP body limit (typically 8KB+)             */
    param_val = http_get_param(req, "redirect_url");
    if (param_val == NULL) {
        return HTTP_ERR_BADREQUEST;
    }

    // BUG: no strlen(param_val) check against sizeof(url_buf) before copy
    strcpy(url_buf, param_val);     // stack overflow if len(param_val) > 255

    /* url_buf is subsequently passed to cfg storage and logging */
    ret = cfg_set_string(cfg, CFG_KEY_REDIRECT_URL, url_buf);
    return ret;
}

The call to strcpy writes past the end of url_buf when param_val exceeds 255 bytes (256 including the null terminator). Because url_buf lives on the stack, the overflow corrupts the saved frame pointer and return address of set_redirect_url(), and then the caller's stack frame depending on overflow length.

Memory Layout

The stack frame layout for set_redirect_url() on a MIPS32 (SD-330AC) target:


/* Stack frame layout: set_redirect_url() — MIPS32 little-endian */
struct set_redirect_url_frame {
    /* -0x118 */ char     url_buf[256];    // target buffer, 0x100 bytes
    /* -0x018 */ char     _pad[8];         // compiler alignment / locals
    /* -0x010 */ uint32_t saved_s0;        // callee-saved register s0
    /* -0x00C */ uint32_t saved_s1;        // callee-saved register s1
    /* -0x008 */ uint32_t saved_fp;        // saved frame pointer ($fp)
    /* -0x004 */ uint32_t saved_ra;        // return address ($ra)  <-- overwrite target
};


STACK STATE BEFORE OVERFLOW (input = 255 bytes, safe):
  sp+0x000  [ url_buf[0..255]          "http://example.com/...\0"   ]
  sp+0x100  [ padding / local vars     0x00000000 0x00000000        ]
  sp+0x108  [ saved $s0                0x00435F10                   ]
  sp+0x10C  [ saved $s1                0x00000000                   ]
  sp+0x110  [ saved $fp                0x7FFF8C40                   ]
  sp+0x114  [ saved $ra                0x0041BFA4  ]  <-- return to caller

STACK STATE AFTER OVERFLOW (input = 512 bytes, attacker-controlled):
  sp+0x000  [ url_buf[0..255]          "AAAA...AAAA"                ]
  sp+0x100  [ OVERFLOWED               "AAAA AAAA"  (was: padding)  ]
  sp+0x108  [ CORRUPTED $s0            0x41414141                   ]
  sp+0x10C  [ CORRUPTED $s1            0x41414141                   ]
  sp+0x110  [ CORRUPTED $fp            0x41414141                   ]
  sp+0x114  [ CORRUPTED $ra            0x00400500  ]  <-- attacker ROP gadget

Exploitation Mechanics

On MIPS32 with no ASLR (SD-330AC firmware runs on a fixed-address RTOS environment — virtual address space is static across firmware versions within the same release train), control of $ra translates directly to PC control. NX is not enforced on the stack in the observed firmware configuration, making direct shellcode injection viable alongside ROP.


EXPLOIT CHAIN — CVE-2026-32955, SD-330AC Ver.1.42:

1. Authenticate to SD-330AC web interface (low-privilege account sufficient;
   default credentials "admin"/"admin" present on factory-reset units).

2. Issue HTTP POST to /cgi-bin/config.cgi with body:
     action=set&redirect_url=[PAYLOAD]
   where PAYLOAD is structured as:
     [256 bytes padding] + [8 bytes pad/locals] + [saved_s0] + [saved_s1]
     + [saved_fp] + [RA → ROP gadget @ 0x00400500]

3. strcpy() in set_redirect_url() copies PAYLOAD into 256-byte url_buf,
   overwriting the stack frame through saved_ra.

4. set_redirect_url() returns — CPU loads attacker-controlled value from
   corrupted $ra into PC. Execution redirects to ROP gadget.

5. ROP chain pivots stack pointer to attacker-controlled data region
   (e.g., another POST parameter buffered in the HTTP body heap allocation).

6. ROP chain disables cache coherency for shellcode page, then transfers
   to staged shellcode (bind shell or implant dropper).

7. Shellcode executes with the privilege of sx_httpd — typically root on
   embedded RTOS targets of this class.

NOTE: AMC Manager (Windows/Linux host) is affected by the same overflow in
its URL validation library; on x86-64 Windows, ASLR+DEP are present,
elevating exploit complexity but not precluding exploitation via info-leak
chaining with CVE-2026-32959 (sensitive info in resource before reuse).

Patch Analysis

The fix is straightforward: validate input length before the copy, or replace strcpy with a bounded alternative. The expected patched form:


// BEFORE (vulnerable — SD-330AC Ver.1.42 / AMC Manager Ver.5.0.2):
int set_redirect_url(http_request_t *req, device_cfg_t *cfg)
{
    char url_buf[256];
    char *param_val = http_get_param(req, "redirect_url");
    if (param_val == NULL) return HTTP_ERR_BADREQUEST;

    strcpy(url_buf, param_val);   // BUG: unbounded copy onto stack

    return cfg_set_string(cfg, CFG_KEY_REDIRECT_URL, url_buf);
}

// AFTER (patched — expected in SD-330AC Ver.1.43 / AMC Manager Ver.5.0.3):
#define REDIRECT_URL_MAX  255

int set_redirect_url(http_request_t *req, device_cfg_t *cfg)
{
    char url_buf[256];
    char *param_val = http_get_param(req, "redirect_url");
    if (param_val == NULL) return HTTP_ERR_BADREQUEST;

    // FIXED: reject inputs that would overflow url_buf
    if (strlen(param_val) > REDIRECT_URL_MAX) {
        log_warn("redirect_url exceeds max length, rejecting");
        return HTTP_ERR_BADREQUEST;
    }

    strncpy(url_buf, param_val, REDIRECT_URL_MAX);
    url_buf[REDIRECT_URL_MAX] = '\0';   // explicit null-termination

    return cfg_set_string(cfg, CFG_KEY_REDIRECT_URL, url_buf);
}

A more robust fix replaces the stack buffer entirely with heap allocation sized to the validated input, eliminating the stack-smashing class of bug regardless of the constant value chosen for REDIRECT_URL_MAX. Given that CVE-2026-32956 (heap overflow, same URL path, unauthenticated) shares this code region, the patch surface for both CVEs likely overlaps in the vendor's update.

Detection and Indicators

Network-level detection opportunities:


SNORT/SURICATA RULE (conceptual):
alert http any any -> $SD330AC_HOSTS 80 (
    msg:"CVE-2026-32955 silex SD-330AC redirect_url overflow attempt";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; content:"/cgi-bin/config.cgi";
    http.request_body; content:"redirect_url=";
    http.request_body; pcre:"/redirect_url=[^&]{256,}/";
    classtype:attempted-admin;
    sid:2026329550; rev:1;
)

On the device itself, a successful stack smash triggering a crash (without full exploitation) will manifest as a watchdog reset. AMC Manager logs will show a connection drop from the target unit. Firmware crash dumps (if enabled via debug mode) will show $ra pointing outside any valid code segment. Any redirect_url parameter value exceeding 255 bytes in HTTP logs should be treated as an exploitation attempt.

Remediation

Silex technology recommends updating to the versions listed in their advisory response. Until patching is possible:

Network segmentation: Place SD-330AC units on an isolated management VLAN. Access to port 80/443 on device IPs should require VPN or jump host — this eliminates the network-reachable attack surface entirely.
Credential hygiene: CVE-2026-32955 requires authentication (PR:L). Changing default credentials from admin/admin raises the bar; combined with CVE-2026-32956 (unauthenticated heap overflow), network isolation remains the only reliable mitigation.
AMC Manager: Restrict AMC Manager host network access to only the device management subnet. The management host itself is a target for the same overflow via maliciously crafted device responses if a compromised SD-330AC is already present in the fleet.
Monitor for resets: Watchdog-triggered device reboots during normal operation hours are a crash indicator worth alerting on in managed deployments.

Contact silex technology (https://www.silextech.com) for firmware update availability. The JVN advisory (JVNVU#94271449) is the authoritative source for patched version numbers as they become available.