Skip to main content

Acer Connect M6E CVE-2026-50207

| EUVDEUVD-2026-34219 HIGH
Path Traversal (CWE-22)
2026-06-04 Acer GHSA-jv9c-3q58-cmgw
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 11:07 vuln.today
CVSS changed
Jun 04, 2026 - 09:22 NVD
8.5 (HIGH)
CVE Published
Jun 04, 2026 - 07:04 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.

AnalysisAI

Local privilege abuse in the Acer Connect M6E 5G Portable WiFi Router lets installed applications smuggle raw AT commands across the Android system Binder boundary, where they are forwarded to the cellular baseband without verification. Up to and including firmware M6E_AI_1.00.000019, low-privileged local apps can read sensitive baseband files (IMSI, configuration blobs) and disable cellular connectivity, with no public exploit identified at time of analysis and no CISA KEV listing.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install local app on M6E
Delivery
Open Binder AT-command interface
Exploit
Send crafted AT path-traversal command
Execution
Read baseband EFS/NV files
Persist
Issue CFUN=0 detach command
Impact
Cellular service disabled and data exfiltrated

Vulnerability AssessmentAI

Exploitation Attacker must already be running code locally on the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) as an unprivileged on-device application that can reach the system Binder service exposing the AT-command pass-through; no user interaction, no elevated permissions, and no special configuration toggle are required because the pass-through accepts unverified commands by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H reflects a high-impact local issue: any installed app with low privileges (no special permission, no user prompt) can both exfiltrate sensitive baseband data and brick connectivity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user side-loads or is tricked into installing a benign-looking utility on the M6E. With only low-level local privileges and no user interaction, the app opens the exposed Binder endpoint and issues crafted AT commands that read baseband filesystem entries (leaking IMSI/EFS data) and then send a CFUN=0 / detach sequence to drop cellular service, denying connectivity to every device tethered to the hotspot.
Remediation Patch availability is not explicitly stated as a fixed version in the supplied data - treat this as 'Patch available per vendor advisory' and apply the firmware update referenced in Acer's KB at https://community.acer.com/en/kb/articles/19707 as soon as a release succeeding M6E_AI_1.00.000019 is published, verifying the build string in the device admin UI after upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Acer Connect M6E devices in production and restrict installation of third-party applications to trusted sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-49185 CRITICAL
10.0 Jun 04

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all

CVE-2026-49190 CRITICAL
9.4 Jun 04

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit

CVE-2026-49194 CRITICAL
9.4 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a

CVE-2026-49191 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded

CVE-2026-50214 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta

CVE-2026-50209 CRITICAL
9.3 Jun 04

Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000

CVE-2026-50208 CRITICAL
9.2 Jun 04

Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)

CVE-2026-50205 HIGH
8.8 Jun 04

Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p

CVE-2026-49202 HIGH
8.8 Jun 04

Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re

CVE-2026-50211 HIGH
8.8 Jun 04

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow

CVE-2026-50225 HIGH
8.8 Jun 04

Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r

CVE-2026-49193 HIGH
8.7 Jun 04

Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co

Share

CVE-2026-50207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy