Skip to main content

Acer Connect M6E CVE-2026-50205

| EUVDEUVD-2026-34217 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-04 Acer GHSA-3wcr-5c6g-86gm
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 07:33 vuln.today
CVSS changed
Jun 04, 2026 - 07:22 NVD
8.8 (HIGH)

DescriptionCVE.org

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.

AnalysisAI

Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication passwords and employee corporate identification data through system log files. With a CVSS 4.0 score of 8.8 (high confidentiality impact, network attack vector, no privileges or user interaction required) and no public exploit identified at time of analysis, the flaw enables remote attackers who can reach the log output to harvest credentials and PII without authentication.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Acer M6E management interface
Delivery
Access system log endpoint unauthenticated
Exploit
Extract cleartext SMTP credentials and employee IDs
Execution
Authenticate to corporate SMTP server
Impact
Send phishing or harvest further data

Vulnerability AssessmentAI

Exploitation Exploitation requires the affected Acer Connect M6E 5G Portable WiFi Router to have the SMTP notification/alerting feature configured with credentials (otherwise no SMTP secret is logged) and the attacker must have a path to the device's system log output - either via the web admin log-viewer, a remote syslog destination, or direct file access on the device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) indicates network-reachable, unauthenticated, low-complexity access yielding high confidentiality impact - consistent with retrievable log output exposing credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who reaches the router's management or log interface - for example via an exposed admin portal on a public IP, a guest Wi-Fi segment, or lateral movement on the local network - retrieves the system log and extracts the plaintext SMTP authentication password and corporate employee identifiers. The recovered SMTP credential is then leveraged to send phishing emails from the organization's legitimate mail server or, if reused, to pivot into corporate identity systems. …
Remediation Consult the Acer advisory at https://community.acer.com/en/kb/articles/19707 for firmware update guidance; the provided intelligence does not include a confirmed fix version, so this is best described as patch availability per vendor advisory with the exact patched firmware build not independently confirmed in this dataset. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Acer Connect M6E 5G routers in production and isolate from sensitive networks or disable if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-49185 CRITICAL
10.0 Jun 04

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all

CVE-2026-49190 CRITICAL
9.4 Jun 04

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit

CVE-2026-49194 CRITICAL
9.4 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a

CVE-2026-49191 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded

CVE-2026-50214 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta

CVE-2026-50209 CRITICAL
9.3 Jun 04

Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000

CVE-2026-50208 CRITICAL
9.2 Jun 04

Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)

CVE-2026-49202 HIGH
8.8 Jun 04

Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re

CVE-2026-50211 HIGH
8.8 Jun 04

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow

CVE-2026-50225 HIGH
8.8 Jun 04

Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r

CVE-2026-49193 HIGH
8.7 Jun 04

Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co

CVE-2026-49187 HIGH
8.7 Jun 04

Information disclosure in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.0

Share

CVE-2026-50205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy