Skip to main content

Acer Predator Connect W6x CVE-2026-49198

| EUVDEUVD-2026-33266 HIGH
Improper Access Control (CWE-284)
2026-05-29 Acer GHSA-jwxj-jjcm-8p4w
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 11:20 vuln.today
CVSS changed
May 29, 2026 - 09:22 NVD
8.3 (HIGH)
CVE Published
May 29, 2026 - 08:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.

AnalysisAI

Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors to subscribe to wildcard topics and observe all MQTT traffic traversing the device. The flaw stems from improper access control (CWE-284) on broker subscriptions, enabling cross-tenant data exposure with high confidentiality impact and scope change to other subscribed services. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

The Predator Connect W6x is Acer's Wi-Fi 6E mesh router (CPE cpe:2.3:a:acer:predator_connect_w6x), which embeds an MQTT broker - a lightweight publish/subscribe messaging protocol commonly used for IoT device telemetry, cloud management, and inter-component messaging within the router firmware. MQTT brokers enforce access control via Access Control Lists (ACLs) that govern which clients may publish or subscribe to which topic hierarchies; the '#' and '+' wildcard characters allow subscribing to entire topic trees. CWE-284 (Improper Access Control) applies here because the broker's ACL fails to restrict wildcard subscriptions to authorized principals, so any client with broker credentials can subscribe to '#' and observe every message published by every other component or tenant, including potentially device telemetry, configuration data, and management commands.

RemediationAI

Patch availability is not explicitly stated in the provided data - consult Acer's advisory at https://community.acer.com/en/kb/articles/19672 for the fixed firmware build and upgrade the Predator Connect W6x to the vendor-released patched version once identified (no exact fix version was supplied in the intelligence sources). As compensating controls until patching, restrict MQTT broker network exposure by ensuring TCP/1883 and 8883 are not reachable from the WAN interface (verify with an external port scan; side effect: any legitimate remote MQTT integrations will break), rotate any MQTT credentials used by router components or paired IoT devices to reduce the value of a leaked subscription stream, and segment the router's management interfaces onto a trusted VLAN so only administrative hosts can authenticate to the broker (side effect: requires guest/IoT network reconfiguration). Avoid exposing the router's cloud-management features if they are not required, since these typically traverse the embedded MQTT broker.

Share

CVE-2026-49198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy