Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.
AnalysisAI
Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbitrary shell commands by submitting a crafted MAC address through the Wi-Fi device blocking feature. The flaw stems from insufficient input sanitization on a value that is passed to a shell context, and at the time of analysis no public exploit has been identified and the issue is not listed in CISA KEV. With a CVSS 4.0 base score of 8.6, the bug confers full confidentiality, integrity and availability impact on the device itself.
Technical ContextAI
The affected device is the Acer Predator Connect W6x, a consumer/SOHO Wi-Fi router (CPE cpe:2.3:a:acer:predator_connect_w6x). The root cause maps to CWE-77 (Improper Neutralization of Special Elements used in a Command - 'Command Injection'): the management interface's Wi-Fi device-blocking function accepts a MAC address parameter and ultimately concatenates that user-supplied string into a shell command (typically used to push the MAC into iptables/ebtables or hostapd ACL rules) without proper neutralization of shell metacharacters such as backticks, semicolons, or $(). Because the router's web UI runs with elevated privileges on an embedded Linux stack, injected commands execute in that same context, giving an attacker code execution on the underlying OpenWrt-style firmware.
RemediationAI
Patch available per vendor advisory - consult Acer's knowledge base article at https://community.acer.com/en/kb/articles/19672 for the fixed firmware build that supersedes W6x_GBL_2.00.000005 and apply it through the router's firmware update flow; a specific patched version number is not independently confirmed in the input data. Until the firmware update is deployed, restrict access to the router's web management interface to a trusted management VLAN or specific admin hosts (which will block legitimate remote administration), ensure the default administrator password has been changed to a strong unique value and disable any 'remote management from WAN' option (which will block remote support workflows), and avoid using the Wi-Fi device-blocking feature in the admin UI as an interim control (which removes a parental-control capability). Monitor the device's syslog and any vendor-side telemetry for unexpected processes or configuration changes that would indicate post-exploitation.
More in Predator Connect W6X
View allRemote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via c
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unau
Unauthenticated command execution on Acer Predator Connect W6x routers exposes the /sbin/mtk_dut debug binary on TCP por
Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33263
GHSA-68jv-x4hh-mmjq