CVE-2026-32965
Received Received - Intake
Insecure Default Password Initialization in Silex SD-330AC Devices

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: JPCERT/CC

Description
Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial (factory-default) configuration, the device can be configured with the null string password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32965
EUVD
EUVD-2026-23758
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
silextechnology sd-330ac_firmware to 1.50 (exc)
silextechnology amc_manager to 5.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability exists when the affected device is connected to the network with the initial (factory-default) configuration, allowing configuration with a null string password.

To detect this vulnerability, you should check if the device is still using the factory-default settings, especially if the password is empty or null.

Since no specific commands or detection methods are provided in the available information, a general approach would be to attempt to access the device using default credentials or no password.

Executive Summary

This vulnerability exists in the SD-330AC and AMC Manager devices provided by silex technology, Inc. It occurs because the devices are initialized with an insecure default configuration. Specifically, when connected to the network with the factory-default settings, the device can be configured with a null string password, meaning no password is set by default.

Impact Analysis

Because the device can be accessed with a null string password, an attacker on the network can potentially gain unauthorized access to the device without needing any credentials. This can lead to unauthorized configuration changes or control over the device, impacting the integrity of the device's operation.

Compliance Impact

The vulnerability allows devices to be configured with a null string password when using the factory-default configuration, which can lead to unauthorized access.

Such unauthorized access risks compromising the integrity of information systems, potentially leading to violations of standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure access controls.

Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure adequate security measures.

Mitigation Strategies

The vulnerability arises from the device being configured with a null string password in its factory-default state.

Immediate mitigation steps include changing the default password to a strong, non-empty password as soon as the device is deployed on the network.

Ensure that the device is not left in its factory-default configuration when connected to the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart