Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
AnalysisAI
Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbitrary applications or execute operating system commands by abusing internal operation codes (opcodes) whose permission checks are not properly enforced. The flaw carries a CVSS 4.0 score of 9.4 (Critical) due to network reach, low attack complexity, and scope-changing impact on confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network reachability to the router's management plane (typically the LAN/Wi-Fi side of an Acer Connect M6E, or the WAN side if remote administration has been enabled) and must hold low-privileged credentials on the device (CVSS PR:L) - fully unauthenticated access is not indicated by the vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly aligned toward high real-world risk: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H and a changed scope (SC:H/SI:H/SA:H) describes a network-reachable, low-complexity, no-interaction command injection achievable with only low privileges, which on a consumer router often equates to an ordinary management account or a guest-network foothold. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged access to the router's management interface - for example, a guest Wi-Fi user, a compromised LAN host, or someone with a captured non-admin account - sends a crafted request invoking one of the unprotected opcodes and supplies shell metacharacters in a parameter that is concatenated into an OS command. The router executes the injected command in the firmware's command interpreter, allowing the attacker to install a backdoor application or run arbitrary system commands as the service account, pivoting to full device takeover and a foothold on the local network. |
| Remediation | Patch available per vendor advisory at https://community.acer.com/en/kb/articles/19707 - administrators should consult that knowledge base article for the fixed firmware build and apply the update to every Acer Connect M6E unit in inventory, since no exact fixed version is enumerated in the available CVE data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Acer Connect M6E 5G routers in your network; restrict access to management interfaces to trusted networks only; disable remote management if not operationally required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta
Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000
Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)
Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p
Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re
Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow
Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r
Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co
Information disclosure in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.0
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34209
GHSA-v76p-jwh5-4pcm