Skip to main content

Acer Predator Connect CVE-2026-49197

| EUVDEUVD-2026-33264 CRITICAL
Improper Authentication (CWE-287)
2026-05-29 Acer GHSA-6pmc-5frg-fmg6
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 11:21 vuln.today
CVSS changed
May 29, 2026 - 09:22 NVD
10.0 (CRITICAL)
CVE Published
May 29, 2026 - 08:24 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.

AnalysisAI

Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unauthenticated attackers to reach app-facing web endpoints by sending an HTTP Authorization header whose Base64 payload is intentionally malformed, because the endpoint treats a decoding failure as a pass rather than a rejection. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high confidentiality, integrity, availability impact on both vulnerable and subsequent systems) reflects full takeover potential against an internet-reachable consumer/SOHO router, though no public exploit identified at time of analysis.

Technical ContextAI

The affected component is the web management/companion API on Acer's Predator Connect W6x Wi-Fi 6E router, which is paired with the Acer Connect mobile app. Per CWE-287 (Improper Authentication), the endpoints implement HTTP Basic-style authentication by Base64-decoding the credentials in the Authorization header; the defect is that a failed Base64 decode path returns success (or simply does not short-circuit the request) instead of denying access. This is a classic 'fail-open' authentication flaw: instead of treating malformed input as untrusted, the parser's exception path bypasses the credential check entirely, leaving the privileged API surface exposed to anyone able to reach the device's HTTP service.

RemediationAI

Apply the firmware update referenced in Acer's advisory at https://community.acer.com/en/kb/articles/19672 - specific fixed firmware version is not enumerated in the input data, so consult the advisory for the exact post-W6x_GBL_2.00.000005 build (patch available per vendor advisory). Until the device is updated, restrict reachability of the router's HTTP management/companion-app endpoints: disable remote/WAN management in the router settings (trade-off: loses Acer Connect app access from outside the home network), and on the LAN side place the router's admin interface behind a firewall ACL limited to trusted client IPs or VLANs (trade-off: legitimate app users on guest/IoT segments will lose access). Avoid exposing the device directly to the internet via port forwarding to the management port, and monitor authentication logs for Authorization headers containing non-Base64 characters as an indicator of exploitation attempts.

Share

CVE-2026-49197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy