SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

SD-330AC and AMC Manager provided by silex technology, Inc. contain a stack-based buffer overflow vulnerability in processing the redirect URLs. Arbitrary code may be executed on the device.

CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process execution anomalies.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "goform/aspForm" or RemoteUrl has "SetMobileAPInfoById" | where InitiatingProcessFileName !in ("chrome.exe", "iexplore.exe", "firefox.exe") or InitiatingProcessFileName has "curl" or InitiatingProcessFileName has "wget" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "goform" or ProcessCommandLine has "SetMobileAPInfoById" or ProcessCommandLine has "aspForm" | where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe") | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (SecurityEvent | where Timestamp > ago(7d) | where Activity has "Network" and (TargetUserName has "admin" or TargetUserName has "root") | where Computer has_any ("h3c", "magic", "b1") or SourceIP in (dynamic(["0.0.0.0"])) | project Timestamp, Computer, TargetUserName, Activity, SourceIP) | summarize EventCount=count(), UniqueDevices=dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by RemoteUrl, RemoteIP, InitiatingProcessFileName | where EventCount > 1 | limit 1000

Monitor for exploitation attempts by detecting network connections to H3C devices targeting the vulnerable /goform/aspForm endpoint with SetMobileAPInfoById function calls, combined with suspicious process execution (curl, wget, powershell) attempting to interact with the vulnerable endpoint. Cross-reference with authentication anomalies on H3C devices and look for buffer overflow indicators in network payloads.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative tools (curl, wget) used by IT staff for device management may trigger alerts; whitelist known management IP ranges and administrative accounts. Standard web browser traffic to H3C management interfaces should be excluded. Filter out routine device health checks and firmware update processes from H3C vendor infrastructure.

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows Defender-related process manipulation.

let timeWindow = 7d; let suspiciousDefenderProcesses = dynamic(['MsMpEng.exe', 'NisSrv.exe', 'WinDefend']); let suspiciousParents = dynamic(['explorer.exe', 'cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessTokenElevation has_any ('TokenElevationTypeFull', 'TokenElevationTypeDefault') and (FileName in (suspiciousDefenderProcesses) or FolderPath has 'Windows\Defender' or FolderPath has 'ProgramData\Microsoft\Windows Defender') | where InitiatingProcessFileName in (suspiciousParents) or InitiatingProcessCommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, DeviceName, DeviceId, ProcessId, FileName, FolderPath, ProcessCommandLine, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (SecurityEvent | where Timestamp > ago(timeWindow) | where EventID == 4688 | where NewProcessName has_any (suspiciousDefenderProcesses) or NewProcessName has 'Windows\Defender' | where ParentProcessName in (suspiciousParents) or CommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, Computer, ProcessId = NewProcessId, FileName = NewProcessName, ProcessCommandLine = CommandLine, ParentProcessName, AccountName, AccountDomain) | project-away InitiatingProcessFileName, InitiatingProcessCommandLine | limit 1000

Monitor for suspicious process creation events where Windows Defender processes (MsMpEng.exe, NisSrv.exe) or Defender-related binaries are spawned with elevated token elevation from unusual parent processes (cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, regasm.exe, InstallUtil.exe). Cross-correlate DeviceProcessEvents and SecurityEvent (EventID 4688) to detect privilege escalation attempts exploiting CVE-2026-33825.

Windows 10  ·  Windows 11  ·  Microsoft Defender

Legitimate Windows Defender updates and maintenance tasks may spawn elevated processes; filter by known Microsoft signed binaries and scheduled task execution contexts. Exclude processes initiated from C:\Windows\System32\svchost.exe and official Windows Update processes. Tune based on organizational baseline of normal Defender process behavior.