Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.
AnalysisAI
Unauthenticated command execution on Acer Predator Connect W6x routers exposes the /sbin/mtk_dut debug binary on TCP port 9000, allowing any device on the LAN to issue arbitrary UCC (Unified Configuration Command) instructions without credentials. The flaw affects Predator Connect W6x firmware W6x_GBL_2.00.000005 and earlier, and at the time of analysis there is no public exploit identified, though the trivial protocol (raw TCP, no auth) makes weaponization straightforward once discovered.
Technical ContextAI
The Acer Predator Connect W6x is a MediaTek-based Wi-Fi 6E mesh router; the mtk_dut binary is a MediaTek 'Device Under Test' diagnostic/manufacturing utility typically used during factory calibration and RF testing, which exposes a UCC command interpreter. CWE-306 (Missing Authentication for a Critical Function) captures the root cause: the diagnostic listener was left bound to the LAN interface on TCP/9000 in shipping firmware without any authentication layer, so any client that can reach port 9000 can drive the same command surface a manufacturing technician would use. CPE cpe:2.3:a:acer:predator_connect_w6x covers the affected hardware line.
RemediationAI
Apply the firmware release published by Acer in the advisory at https://community.acer.com/en/kb/articles/19672 - no specific fixed-version string was provided in the available intelligence, so this is best described as patch available per vendor advisory rather than a confirmed version. Until the device is updated, restrict who can reach the router's LAN interface on TCP/9000: place the router on an isolated management VLAN, disable or strongly segment guest Wi-Fi from the management subnet, and use client isolation on any SSID where untrusted devices connect (trade-off: client isolation breaks AirPlay, Chromecast, and printer discovery). Where supported, add a host-based firewall rule on the router to drop inbound traffic to port 9000 on the LAN bridge; verify with an nmap scan from a wired and wireless client that 9000/tcp is filtered. Do not expose the LAN interface to untrusted IoT devices until patched.
More in Predator Connect W6X
View allRemote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via c
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unau
Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbit
Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33261
GHSA-2vr8-wh6w-3q8m