{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32958", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-17T00:23:24.980Z", "datePublished": "2026-04-20T03:19:16.492Z", "dateUpdated": "2026-04-20T13:19:40.008Z"}, "containers": {"cna": {"affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"version": "Ver.1.42 and earlier", "status": "affected"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"version": "Ver.5.0.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update."}], "problemTypes": [{"descriptions": [{"description": "Use of hard-coded cryptographic key", "lang": "en-US", "cweId": "CWE-321", "type": "CWE"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:19:16.492Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T13:19:18.750535Z", "id": "CVE-2026-32958", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:19:40.008Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:19:18.750535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:19:36.163Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"status": "affected", "version": "Ver.1.42 and earlier"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"status": "affected", "version": "Ver.5.0.2 and earlier"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-321", "description": "Use of hard-coded cryptographic key"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:19:16.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32958", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:19:40.008Z", "dateReserved": "2026-03-17T00:23:24.980Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-20T03:19:16.492Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silextechnology:sd-330ac_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A70D1CA9-282F-4ED4-B692-E0F30551B8A5", "versionEndExcluding": "1.50", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silextechnology:sd-330ac:-:*:*:*:*:*:*:*", "matchCriteriaId": "FCFD8120-C8AC-4526-9482-0156E4B4BB5F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silextechnology:amc_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B2DC15C-0A28-47E0-B3C4-9DD49B869BCA", "versionEndExcluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update."}], "id": "CVE-2026-32958", "lastModified": "2026-04-22T17:00:17.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-20T04:16:42.580", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/vu/JVNVU94271449/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.silex.jp/support/security-advisories/en/2026-001"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "AMC Manager", "source": "cna", "vendor": "silex technology, Inc."}, "product": "amc_manager", "vendor": "silextechnology"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.42]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SD-330AC", "source": "cna", "vendor": "silex technology, Inc."}, "product": "sd-330ac", "vendor": "silextechnology"}], "analysis": {"en": {"generated_at": "2026-04-20T06:51:10.133439+00:00", "value": {"mitigation_remediation": ["Apply a vendor\u2011issued patch or update firmware to a version that removes the hard\u2011coded cryptographic key.", "Verify all firmware updates by checking the vendor\u2019s cryptographic signature and reject any update lacking a valid signature.", "Restrict firmware update capability to a trusted network segment and require multi\u2011factor authentication for administrative users."], "summary": {"action": "Apply Patch", "impact": "Firmware Bypass via Hard\u2011Coded Key"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Silex technology, Inc.'s AMC Manager and SD\u2011330AC devices that contain the hard\u2011coded cryptographic key. No specific version information is provided, indicating that all current releases of these products are potentially susceptible.", "description_and_impact": "SD\u2011330AC and AMC Manager use a fixed cryptographic key, enabling an attacker to replace legitimate firmware with a malicious image that the system will accept without verification. This flaw, categorized as CWE\u2011321 (Weak Cryptographic Key), can allow arbitrary code execution or unauthorized control of the device, as the compromised firmware runs with the same privileges as authentic updates.", "risk_and_exploitability": "With a CVSS score of 6.9 the flaw carries medium severity. The EPSS score is not available and it is not listed in the CISA KEV catalog, indicating that no current data informs the likelihood of exploitation. The likely attack vector, inferred from the description, involves a social engineering or remote delivery of a fake firmware update; however, this specific vector is not explicitly stated in the input."}}}}, "created": "2026-04-20T07:00:11.081278+00:00", "title": "Hard\u2011Coded Cryptographic Key Enables Fake Firmware Updates", "updated": "2026-04-20T14:58:15.298435+00:00", "vendors": ["silextechnology", "silextechnology$PRODUCT$amc_manager", "silextechnology$PRODUCT$sd-330ac"]}