Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
AnalysisAI
Hardcoded AES-128-CBC cryptographic keys embedded in the AcerConnect OTA application allow unauthenticated remote attackers to forge authorization credentials for arbitrary IMEI numbers against the Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019). Once credentials are forged, attackers can enumerate OTA catalog items and retrieve protected firmware binaries via pre-signed cloud storage links. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The AcerConnect OTA application binary must be obtainable by the attacker - either through direct firmware extraction from a purchased device, firmware image analysis from Acer distribution sources, or any other binary acquisition path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 is driven by a fully network-accessible, zero-complexity attack (AV:N/AC:L/AT:N/PR:N/UI:N), but impact is constrained to low confidentiality on the vulnerable system (VC:L) with no integrity, availability, or downstream scope effects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains the AcerConnect OTA application binary (e.g., via firmware extraction or public distribution channels), decompiles it using standard reverse-engineering tools to recover the fixed AES-128-CBC key, then crafts HTTP requests to the OTA cloud backend using forged credentials tied to an arbitrary IMEI number. This yields access to the OTA catalog listing and download URLs for protected firmware binaries, which can be retrieved without any device-side interaction or authentication. … |
| Remediation | Apply the firmware update released by Acer that supersedes M6E_AI_1.00.000019; the exact patched firmware version is not independently confirmed from the provided data - consult the Acer advisory directly at https://community.acer.com/en/kb/articles/19707 for the specific target version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all
Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded
Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta
Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000
Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)
Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p
Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re
Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow
Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r
Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage co
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34231
GHSA-phcf-76rm-q992