CVE-2026-32955: Silex SD-330AC & AMC Manager Critical RCE — Defense & Patching Guide

CISA has released ICS Advisory ICSA-26-111-10 detailing a set of critical vulnerabilities affecting Silex Technology’s SD-330AC device servers and AMC Manager software. With a aggregate CVSS v3 score of 9.8 (Critical), these flaws (CVE-2026-32955 through CVE-2026-32965) represent a severe risk to Industrial Control Systems (ICS) and operational technology environments.

The vulnerabilities allow attackers to execute arbitrary code, alter device configurations without authentication, or trigger denial-of-service conditions. Given the "headless" nature of many device servers in OT environments, these devices are often overlooked in standard patch cycles, making them attractive targets for initial access and lateral movement into OT networks.

Technical Analysis

Affected Products:

• Silex Technology SD-330AC: Versions <= 1.42
• Silex Technology AMC Manager: Versions <= 5.0.2

CVE Landscape: The advisory lists a cluster of 13 CVEs (CVE-2026-32955 to CVE-2026-32965), plus two legacy identifiers (CVE-2015-5621, CVE-2024-24487). The inclusion of older CVEs (2015) alongside 2026 identifiers suggests these patches address accumulated technical debt in the firmware and management stack.

Vulnerability Mechanics:

• Unauthenticated RCE & Config Alteration: The most critical flaws allow an attacker to interact with the web management interface or underlying services to inject commands or modify configurations without valid credentials. In OT contexts, altering the configuration of a device server (which often connects PLCs to Ethernet) can sever control visibility or manipulate process data.
• Denial-of-Service (DoS): Specific flaws in the input handling can trigger crashes, rendering the device inaccessible.

Exploitation Requirements: Exploitation requires network access to the management interface (HTTP/HTTPS or proprietary ports). No user interaction or existing privileges are required.

Detection & Response

Detecting exploitation of IoT/OT devices requires visibility into network flows and the specific management protocols used by AMC Manager. Since these devices often do not support host-based agents, network detection is critical.

SIGMA Rules

The following rules focus on detecting anomalous management traffic and potential web shell activity resulting from successful RCE.

---
title: Silex AMC Manager Unauthenticated Configuration Alteration
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects potential configuration alteration or exploitation attempts against Silex AMC Manager interfaces based on HTTP methods to management endpoints without prior authentication.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-10
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: apache # Or nginx/iis depending on AMC deployment
detection:
  selection:
    c-uri|contains:
      - '/config'
      - '/setup'
      - '/admin'
    c-method:
      - 'POST'
      - 'PUT'
  filter_legit:
    sc-status: 401 # Filter out failed auth attempts, focus on success/anomaly
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative configuration changes
level: high
---
title: Silex Device Server Potential RCE - Web Shell Creation
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects suspicious file creation patterns often associated with webshells or post-exploitation on Silex management interfaces.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-10
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'C:\\Program Files\\Silex\\'
      - 'C:\\inetpub\\wwwroot\\'
    TargetFilename|endswith:
      - '.asp'
      - '.php'
      - '.jsp'
  condition: selection
falsepositives:
  - Software updates or legitimate plugin installation
level: critical

KQL (Microsoft Sentinel)

// Hunt for unusual access to Silex AMC Manager endpoints
// Assumes AMC Manager logs are sent to Syslog or CEF
let SilexIPs = dynamic(["192.168.1.10", "10.0.0.5"]); // Replace with known AMC IPs
CommonSecurityLog
| where DeviceVendor in ("Silex", "Silex Technology")
| where DeviceProduct contains "AMC"
| where Activity == "HTTP" 
| where DestinationPort in (80, 443, 44818) // Adjust ports based on specific deployment
| where RequestOperation in ("POST", "PUT")
| where SourceIPAddress !in ("192.168.0.0/16", "10.0.0.0/8") // Filter out internal trusted subnets
| project TimeGenerated, SourceIPAddress, DestinationIPAddress, DeviceAction, RequestURL, RequestContext
| order by TimeGenerated desc

Velociraptor VQL

-- Hunt for AMC Manager binaries and check version strings on Windows endpoints
SELECT FullPath, Size, Mtime, 
       read_file(filename=FullPath, length=200) AS HeaderData
FROM glob(globs='C:\Program Files\Silex\AMC Manager\*.exe')
WHERE HeaderData =~ "1.42" OR HeaderData =~ "5.0.2"

Remediation Script (Bash)

#!/bin/bash
# Check for AMC Manager Linux installation versions
# Note: Update paths and checksums based on official vendor documentation

echo "[*] Checking for Silex AMC Manager installation..."

# Define vulnerable versions
VULN_AMC_VER="5.0.2"

# Check common installation paths
if [ -d "/opt/amc" ]; then
    echo "[!] AMC Manager found at /opt/amc"
    # You may need to inspect specific version files or binaries
    # This is a generic example; consult vendor specific versioning command
    cat /opt/amc/version.txt 2>/dev/null || cat /opt/amc/README 2>/dev/null | head -n 5
else
    echo "[-] Standard installation path not found."
fi

echo "[*] Recommendation: Upgrade to versions > 5.0.2 immediately per CISA ICSA-26-111-10."

Remediation & Hardening

1. Patch Immediately:

   • SD-330AC: Upgrade to a version newer than 1.42.
   • AMC Manager: Upgrade to a version newer than 5.0.2.
   • Refer to the Silex Technology Security Advisory for specific firmware and software downloads.

2. Network Segmentation (OT Defense):

   • Isolate SD-330AC devices and AMC Manager instances into a dedicated ICS VLAN.
   • Ensure strict firewall rules prevent inbound access to the management ports (HTTP/HTTPS) from the IT network or internet.
   • Utilize a DMZ architecture for the AMC Manager if remote access is strictly required, enforcing MFA and VPN access before reaching the management interface.

3. Inventory & Asset Management:

   • Scan the environment for instances of SD-330AC. These devices often passively sit on network edges and may be unaccounted for in standard IT CMDBs.

4. Configuration Review:

   • If you cannot patch immediately (common in ICS), review the device configuration for any unauthorized changes (e.g., altered DNS settings, new user accounts, or modified port forwarding rules) which may indicate compromise.

5. CISA KEV & Deadlines:

   • Monitor the CISA Known Exploited Vulnerabilities (KEV) Catalog. If added, federal agencies have specific deadlines to remediate; private sector entities should treat these milestones as urgency targets.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub