SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process...

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Monitor for exploitation attempts by detecting network connections to H3C devices targeting the vulnerable /goform/aspForm endpoint with SetMobileAPInfoById function calls, combined with suspicious process execution (curl, wget, powershell) attempting to interact with the vulnerable endpoint. Cross-reference with authentication anomalies on H3C devices and look for buffer overflow indicators in network payloads.

Legitimate administrative tools (curl, wget) used by IT staff for device management may trigger alerts; whitelist known management IP ranges and administrative accounts. Standard web browser traffic to H3C management interfaces should be excluded. Filter out routine device health checks and firmware update processes from H3C vendor infrastructure.

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies,...

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.

Legitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows...

Windows 10  ·  Windows 11  ·  Microsoft Defender

Monitor for suspicious process creation events where Windows Defender processes (MsMpEng.exe, NisSrv.exe) or Defender-related binaries are spawned with elevated token elevation from unusual parent processes (cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, regasm.exe, InstallUtil.exe). Cross-correlate DeviceProcessEvents and SecurityEvent (EventID 4688) to detect privilege escalation attempts exploiting CVE-2026-33825.

Legitimate Windows Defender updates and maintenance tasks may spawn elevated processes; filter by known Microsoft signed binaries and scheduled task execution contexts. Exclude processes initiated from C:\Windows\System32\svchost.exe and official Windows Update processes. Tune based on organizational baseline of normal Defender process behavior.