SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "goform/aspForm" or RemoteUrl has "SetMobileAPInfoById" | where InitiatingProcessFileName !in ("chrome.exe", "iexplore.exe", "firefox.exe") or InitiatingProcessFileName has "curl" or InitiatingProcessFileName has "wget" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "goform" or ProcessCommandLine has "SetMobileAPInfoById" or ProcessCommandLine has "aspForm" | where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe") | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (SecurityEvent | where Timestamp > ago(7d) | where Activity has "Network" and (TargetUserName has "admin" or TargetUserName has "root") | where Computer has_any ("h3c", "magic", "b1") or SourceIP in (dynamic(["0.0.0.0"])) | project Timestamp, Computer, TargetUserName, Activity, SourceIP) | summarize EventCount=count(), UniqueDevices=dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by RemoteUrl, RemoteIP, InitiatingProcessFileName | where EventCount > 1 | limit 1000

CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process execution anomalies.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative tools (curl, wget) used by IT staff for device management may trigger alerts; whitelist known management IP ranges and administrative accounts. Standard web browser traffic to H3C management interfaces should be excluded. Filter out routine device health checks and firmware update processes from H3C vendor infrastructure.

Monitor for exploitation attempts by detecting network connections to H3C devices targeting the vulnerable /goform/aspForm endpoint with SetMobileAPInfoById function calls, combined with suspicious process execution (curl, wget, powershell) attempting to interact with the vulnerable endpoint. Cross-reference with authentication anomalies on H3C devices and look for buffer overflow indicators in network payloads.

let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.

Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.

let timeWindow = 7d; let suspiciousDefenderProcesses = dynamic(['MsMpEng.exe', 'NisSrv.exe', 'WinDefend']); let suspiciousParents = dynamic(['explorer.exe', 'cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessTokenElevation has_any ('TokenElevationTypeFull', 'TokenElevationTypeDefault') and (FileName in (suspiciousDefenderProcesses) or FolderPath has 'Windows\Defender' or FolderPath has 'ProgramData\Microsoft\Windows Defender') | where InitiatingProcessFileName in (suspiciousParents) or InitiatingProcessCommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, DeviceName, DeviceId, ProcessId, FileName, FolderPath, ProcessCommandLine, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (SecurityEvent | where Timestamp > ago(timeWindow) | where EventID == 4688 | where NewProcessName has_any (suspiciousDefenderProcesses) or NewProcessName has 'Windows\Defender' | where ParentProcessName in (suspiciousParents) or CommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, Computer, ProcessId = NewProcessId, FileName = NewProcessName, ProcessCommandLine = CommandLine, ParentProcessName, AccountName, AccountDomain) | project-away InitiatingProcessFileName, InitiatingProcessCommandLine | limit 1000

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows Defender-related process manipulation.

Windows 10  ·  Windows 11  ·  Microsoft Defender

Legitimate Windows Defender updates and maintenance tasks may spawn elevated processes; filter by known Microsoft signed binaries and scheduled task execution contexts. Exclude processes initiated from C:\Windows\System32\svchost.exe and official Windows Update processes. Tune based on organizational baseline of normal Defender process behavior.

Monitor for suspicious process creation events where Windows Defender processes (MsMpEng.exe, NisSrv.exe) or Defender-related binaries are spawned with elevated token elevation from unusual parent processes (cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, regasm.exe, InstallUtil.exe). Cross-correlate DeviceProcessEvents and SecurityEvent (EventID 4688) to detect privilege escalation attempts exploiting CVE-2026-33825.