CVE-2026-32965
Insecure Default Password Initialization in Silex SD-330AC Devices
Publication date: 2026-04-20
Last updated on: 2026-04-22
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| silextechnology | sd-330ac_firmware | to 1.50 (exc) |
| silextechnology | amc_manager | to 5.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability exists when the affected device is connected to the network with the initial (factory-default) configuration, allowing configuration with a null string password.
To detect this vulnerability, you should check if the device is still using the factory-default settings, especially if the password is empty or null.
Since no specific commands or detection methods are provided in the available information, a general approach would be to attempt to access the device using default credentials or no password.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability arises from the device being configured with a null string password in its factory-default state.
Immediate mitigation steps include changing the default password to a strong, non-empty password as soon as the device is deployed on the network.
Ensure that the device is not left in its factory-default configuration when connected to the network.
Can you explain this vulnerability to me?
This vulnerability exists in the SD-330AC and AMC Manager devices provided by silex technology, Inc. It occurs because the devices are initialized with an insecure default configuration. Specifically, when connected to the network with the factory-default settings, the device can be configured with a null string password, meaning no password is set by default.
How can this vulnerability impact me? :
Because the device can be accessed with a null string password, an attacker on the network can potentially gain unauthorized access to the device without needing any credentials. This can lead to unauthorized configuration changes or control over the device, impacting the integrity of the device's operation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows devices to be configured with a null string password when using the factory-default configuration, which can lead to unauthorized access.
Such unauthorized access risks compromising the integrity of information systems, potentially leading to violations of standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure access controls.
Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure adequate security measures.