Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.
AnalysisAI
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote attackers to abuse a hardcoded global API token guarding the /v1/Plan service, granting full administrative control over network access plans. Unauthenticated attackers can create arbitrary zero-cost plans, effectively bypassing billing and access controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Acer Connect M6E's /v1/Plan management endpoint and knowledge (or recovery) of the shared global API token embedded for administrative use; no per-user credentials, MFA, user interaction, or non-default configuration is needed because the token is the sole authentication factor on a default-enabled service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity, unauthenticated attack with high confidentiality, integrity, and availability impact on the vulnerable component - a textbook critical finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker associated to (or otherwise able to reach) the Acer Connect M6E's management API extracts the hardcoded global API token - for example by reverse-engineering the companion mobile app or sniffing a legitimate session - and sends crafted POSTs to /v1/Plan to provision unlimited zero-cost access plans for themselves or others. This effectively yields free 5G connectivity and undermines any quota, billing, or access-control logic the device enforces. … |
| Remediation | Consult the Acer advisory at https://community.acer.com/en/kb/articles/19707 for the vendor-supplied fix; the public input data does not enumerate a specific patched firmware build, so this should be treated as 'Patch available per vendor advisory' pending confirmation of the exact post-M6E_AI_1.00.000019 release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Acer Connect M6E 5G devices in production infrastructure and identify their current firmware versions; assess network exposure of affected units. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all
Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded
Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000
Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)
Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p
Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re
Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow
Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r
Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co
Information disclosure in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.0
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34228
GHSA-w6gp-x68f-qxch