Skip to main content

Acer Predator Connect W6x EUVDEUVD-2026-33263

| CVE-2026-49196 HIGH
Command Injection (CWE-77)
2026-05-29 Acer GHSA-68jv-x4hh-mmjq
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 11:21 vuln.today
CVSS changed
May 29, 2026 - 09:22 NVD
8.6 (HIGH)
CVE Published
May 29, 2026 - 08:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.

AnalysisAI

Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbitrary shell commands by submitting a crafted MAC address through the Wi-Fi device blocking feature. The flaw stems from insufficient input sanitization on a value that is passed to a shell context, and at the time of analysis no public exploit has been identified and the issue is not listed in CISA KEV. With a CVSS 4.0 base score of 8.6, the bug confers full confidentiality, integrity and availability impact on the device itself.

Technical ContextAI

The affected device is the Acer Predator Connect W6x, a consumer/SOHO Wi-Fi router (CPE cpe:2.3:a:acer:predator_connect_w6x). The root cause maps to CWE-77 (Improper Neutralization of Special Elements used in a Command - 'Command Injection'): the management interface's Wi-Fi device-blocking function accepts a MAC address parameter and ultimately concatenates that user-supplied string into a shell command (typically used to push the MAC into iptables/ebtables or hostapd ACL rules) without proper neutralization of shell metacharacters such as backticks, semicolons, or $(). Because the router's web UI runs with elevated privileges on an embedded Linux stack, injected commands execute in that same context, giving an attacker code execution on the underlying OpenWrt-style firmware.

RemediationAI

Patch available per vendor advisory - consult Acer's knowledge base article at https://community.acer.com/en/kb/articles/19672 for the fixed firmware build that supersedes W6x_GBL_2.00.000005 and apply it through the router's firmware update flow; a specific patched version number is not independently confirmed in the input data. Until the firmware update is deployed, restrict access to the router's web management interface to a trusted management VLAN or specific admin hosts (which will block legitimate remote administration), ensure the default administrator password has been changed to a strong unique value and disable any 'remote management from WAN' option (which will block remote support workflows), and avoid using the Wi-Fi device-blocking feature in the admin UI as an interim control (which removes a parental-control capability). Monitor the device's syslog and any vendor-side telemetry for unexpected processes or configuration changes that would indicate post-exploitation.

Share

EUVD-2026-33263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy