Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
AnalysisAI
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unauthenticated attackers to reach app-facing web endpoints by sending an HTTP Authorization header whose Base64 payload is intentionally malformed, because the endpoint treats a decoding failure as a pass rather than a rejection. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high confidentiality, integrity, availability impact on both vulnerable and subsequent systems) reflects full takeover potential against an internet-reachable consumer/SOHO router, though no public exploit identified at time of analysis.
Technical ContextAI
The affected component is the web management/companion API on Acer's Predator Connect W6x Wi-Fi 6E router, which is paired with the Acer Connect mobile app. Per CWE-287 (Improper Authentication), the endpoints implement HTTP Basic-style authentication by Base64-decoding the credentials in the Authorization header; the defect is that a failed Base64 decode path returns success (or simply does not short-circuit the request) instead of denying access. This is a classic 'fail-open' authentication flaw: instead of treating malformed input as untrusted, the parser's exception path bypasses the credential check entirely, leaving the privileged API surface exposed to anyone able to reach the device's HTTP service.
RemediationAI
Apply the firmware update referenced in Acer's advisory at https://community.acer.com/en/kb/articles/19672 - specific fixed firmware version is not enumerated in the input data, so consult the advisory for the exact post-W6x_GBL_2.00.000005 build (patch available per vendor advisory). Until the device is updated, restrict reachability of the router's HTTP management/companion-app endpoints: disable remote/WAN management in the router settings (trade-off: loses Acer Connect app access from outside the home network), and on the LAN side place the router's admin interface behind a firewall ACL limited to trusted client IPs or VLANs (trade-off: legitimate app users on guest/IoT segments will lose access). Avoid exposing the device directly to the internet via port forwarding to the management port, and monitor authentication logs for Authorization headers containing non-Base64 characters as an indicator of exploitation attempts.
More in Predator Connect W6X
View allRemote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via c
Unauthenticated command execution on Acer Predator Connect W6x routers exposes the /sbin/mtk_dut debug binary on TCP por
Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbit
Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33264
GHSA-6pmc-5frg-fmg6