Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
AnalysisAI
Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors to subscribe to wildcard topics and observe all MQTT traffic traversing the device. The flaw stems from improper access control (CWE-284) on broker subscriptions, enabling cross-tenant data exposure with high confidentiality impact and scope change to other subscribed services. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
The Predator Connect W6x is Acer's Wi-Fi 6E mesh router (CPE cpe:2.3:a:acer:predator_connect_w6x), which embeds an MQTT broker - a lightweight publish/subscribe messaging protocol commonly used for IoT device telemetry, cloud management, and inter-component messaging within the router firmware. MQTT brokers enforce access control via Access Control Lists (ACLs) that govern which clients may publish or subscribe to which topic hierarchies; the '#' and '+' wildcard characters allow subscribing to entire topic trees. CWE-284 (Improper Access Control) applies here because the broker's ACL fails to restrict wildcard subscriptions to authorized principals, so any client with broker credentials can subscribe to '#' and observe every message published by every other component or tenant, including potentially device telemetry, configuration data, and management commands.
RemediationAI
Patch availability is not explicitly stated in the provided data - consult Acer's advisory at https://community.acer.com/en/kb/articles/19672 for the fixed firmware build and upgrade the Predator Connect W6x to the vendor-released patched version once identified (no exact fix version was supplied in the intelligence sources). As compensating controls until patching, restrict MQTT broker network exposure by ensuring TCP/1883 and 8883 are not reachable from the WAN interface (verify with an external port scan; side effect: any legitimate remote MQTT integrations will break), rotate any MQTT credentials used by router components or paired IoT devices to reduce the value of a leaked subscription stream, and segment the router's management interfaces onto a trusted VLAN so only administrative hosts can authenticate to the broker (side effect: requires guest/IoT network reconfiguration). Avoid exposing the router's cloud-management features if they are not required, since these typically traverse the embedded MQTT broker.
More in Predator Connect W6X
View allRemote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via c
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unau
Unauthenticated command execution on Acer Predator Connect W6x routers exposes the /sbin/mtk_dut debug binary on TCP por
Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbit
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33266
GHSA-jwxj-jjcm-8p4w