Multiple critical vulnerabilities have been disclosed in Acer Connect M6E 5G router firmware, including unauthenticated remote code execution, authentication bypass, hardcoded credentials, and cleartext logging of sensitive data. The vulnerabilities span CVSS scores from 7.5 to 9.8 and affect the Acer Connect M6E — a 5G-capable mobile router deployed in enterprise, industrial, and mobile workforce environments. Combined, these vulnerabilities enable complete device compromise with no authentication required.
What Are the Vulnerabilities?
The disclosed vulnerabilities represent systemic security failures across the device firmware, including:
CVE-2026-49185 (CVSS 9.8, CWE-78 — Command Injection): The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing unauthenticated command injection through the device management interface.
CVE-2026-49186 (CVSS 9.8, CWE-287 — MQTT ACL Bypass): The local MQTT broker does not enforce topic-level Access Control Lists. Any client can subscribe using wildcard characters to enumerate hidden network devices or publish rogue control commands.
CVE-2026-49188 (CVSS 9.8, CWE-489 — Root Command Execution): The ai_cmd utility executes with full root permissions and pipes socket inputs directly to popen(), allowing unauthenticated users to execute arbitrary root commands.
CVE-2026-49191 (CVSS 9.8, CWE-287 — Hardcoded API Keys): The production build of the M3WebServer hard-codes backend API keys, which can be intercepted through verbose error handling pages.
CVE-2026-49194 (CVSS 8.8, CWE-287 — Debug Backdoor): The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell.
CVE-2026-49189 (CVSS 7.8, CWE-269 — Unauthorized Broadcast Receiver): Unchecked public access permissions on a core Broadcast Receiver allow unauthorised local software components to invoke administrative operations.
CVE-2026-49190 (CVSS 8.8, CWE-78 — Opcode Command Injection): The system fails to evaluate instructional permissions over multiple internal operation codes, permitting unauthorised application installations or command executions.
CVE-2026-50205 (CVSS 8.2, CWE-532 — Cleartext Credential Logging): System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.
CVE-2026-50208 (CVSS 9.4, CWE-330 — TLS Validation Disabled): High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a MITM attacker could decrypt network traffic.
CVE-2026-50209 (CVSS 7.8, CWE-732 — MDM Hijacking): Broadcast events allow malicious software to rewrite the device’s default Mobile Device Management endpoint address, shifting administrative ownership to an external attacker.
Additional vulnerabilities include: exposed engineering diagnostics with write privileges to NVRAM (CVE-2026-50211), unauthenticated eSIM management (CVE-2026-49203), unauthenticated multimedia session access (CVE-2026-49202), AES-CBC with static zero IVs (CVE-2026-50210), unauthenticated Binder AT command pass-through (CVE-2026-50207), unauthenticated user profile enumeration (CVE-2026-50213), and overexposed cloud telemetry (CVE-2026-49193).
Which Versions Are Affected?
- Acer Connect M6E 5G — all current firmware versions
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. However, the breadth and severity of the vulnerabilities — multiple unauthenticated RCE vectors, hardcoded credentials, debug backdoors — make exploitation highly likely once attackers develop tooling. The M6E is a 5G mobile router that often serves as the primary internet gateway for mobile workforces, industrial IoT deployments, and temporary sites — a compromised router provides persistent network-level access.
What Is the Fix?
Acer is working on firmware updates. Until patches are available: (1) restrict all management interfaces to trusted networks — do not expose the device to the internet; (2) disable MQTT, adb, and debugging interfaces if not operationally required; (3) change all default credentials; (4) deploy network-level monitoring for unusual MQTT traffic and command execution patterns. Monitor Acer’s support site for firmware releases.
Recommendations
Containment: restrict network access, disable unnecessary services, and rotate credentials. The volume of critical vulnerabilities with no current patch makes this device unsuitable for deployment in security-sensitive environments until firmware updates are released.
For enterprise deployments, plan for replacement if patches are delayed. A device with multiple unauthenticated RCE vectors and hardcoded credentials should not serve as a long-term network gateway.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.
