Skip to main content

Acer Connect M6E CVE-2026-50206

| EUVDEUVD-2026-34218 HIGH
OS Command Injection (CWE-78)
2026-06-04 Acer GHSA-vhmh-w6ph-mvx3
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 07:33 vuln.today
CVSS changed
Jun 04, 2026 - 07:22 NVD
8.5 (HIGH)

DescriptionCVE.org

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.

AnalysisAI

Command injection in Acer Connect M6E 5G Portable WiFi Router allows authenticated adjacent-network attackers to execute arbitrary OS commands by submitting VPN network profile configuration files containing unsanitized special characters. The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the router, though exploitation requires high privileges and adjacent (not internet-facing) network access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join adjacent Wi-Fi/LAN network
Delivery
Authenticate to router admin UI
Exploit
Upload crafted VPN profile with shell metacharacters
Execution
Profile parser interpolates input into shell command
Persist
Injected commands execute on router firmware
Impact
Pivot to LAN clients and persist

Vulnerability AssessmentAI

Exploitation The attacker must (1) be on a network adjacent to the router - typically associated to its Wi-Fi SSID or plugged into a LAN port, not reachable from the public internet (AV:A) - and (2) already hold high-privilege administrator credentials to the router's management interface (PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is moderate-to-high in the specific deployment context but narrower than the 8.5 score suggests in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained administrator credentials to the router - for instance via default-credential reuse, phishing of the owner, or a prior credential leak - connects to the device's Wi-Fi or LAN and uploads a crafted VPN profile in which a field such as the server hostname or auth parameter contains shell metacharacters and an embedded command. When the router processes the profile, the injected command runs in the firmware's shell, giving the attacker arbitrary code execution on the gateway, from which they can sniff client traffic, pivot to internal devices, or persist via modified startup scripts. …
Remediation Apply the firmware update referenced in the Acer advisory at https://community.acer.com/en/kb/articles/19707 as the primary remediation; an exact fixed firmware version is not enumerated in the provided intelligence, so administrators should pull the latest available image directly from Acer's support page for the Connect M6E. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Acer Connect M6E 5G routers in use and document network placement, connected systems, and privilege levels assigned to end users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-49185 CRITICAL
10.0 Jun 04

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all

CVE-2026-49190 CRITICAL
9.4 Jun 04

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit

CVE-2026-49194 CRITICAL
9.4 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a

CVE-2026-49191 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded

CVE-2026-50214 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta

CVE-2026-50209 CRITICAL
9.3 Jun 04

Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000

CVE-2026-50208 CRITICAL
9.2 Jun 04

Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)

CVE-2026-50205 HIGH
8.8 Jun 04

Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p

CVE-2026-49202 HIGH
8.8 Jun 04

Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re

CVE-2026-50211 HIGH
8.8 Jun 04

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow

CVE-2026-50225 HIGH
8.8 Jun 04

Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r

CVE-2026-49193 HIGH
8.7 Jun 04

Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co

Share

CVE-2026-50206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy