Skip to main content

Acer Connect M6E EUVDEUVD-2026-34212

| CVE-2026-49193 HIGH
Information Exposure (CWE-200)
2026-06-04 Acer GHSA-j35w-fvr7-hfg9
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 07:31 vuln.today
CVSS changed
Jun 04, 2026 - 07:22 NVD
8.7 (HIGH)

DescriptionCVE.org

Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.

AnalysisAI

Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage containers leave active device telemetry readable from the internet without authentication. Remote unauthenticated parties can harvest sensitive operational data per the CVSS 4.0 vector (AV:N/PR:N/UI:N, VC:H), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate Acer cloud storage endpoints
Delivery
Identify publicly readable telemetry containers
Exploit
Issue unauthenticated GET requests
Execution
Harvest live device telemetry
Impact
Aggregate sensitive operational data

Vulnerability AssessmentAI

Exploitation No special conditions on the victim side - remote unauthenticated exploitation against the cloud storage containers serving the Acer Connect M6E 5G Portable WiFi Router telemetry pipeline, requiring only network reachability to the misconfigured cloud endpoint and no user interaction or credentials (CVSS AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N indicates remote, unauthenticated, low-complexity access producing high confidentiality loss with no integrity or availability effect, yielding the 8.7 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates Acer-operated cloud storage endpoints, identifies the publicly readable containers receiving Connect M6E telemetry, and issues unauthenticated HTTP GET requests to download the live telemetry stream. The harvested data could reveal device identifiers, network usage, subscriber location patterns, or operational metadata useful for surveillance, targeted follow-on attacks, or competitive intelligence; no public exploit identified at time of analysis, so the most realistic actor is one performing routine cloud-bucket reconnaissance.
Remediation Patch status: Patch available per vendor advisory - Acer indicates remediation via the Acer community knowledge base article at https://community.acer.com/en/kb/articles/19707, which owners of the Connect M6E should consult for confirmation that the cloud storage container ACLs have been tightened. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Acer Connect M6E 5G devices; verify cloud storage bucket permissions are private and disable cloud telemetry/synchronization features on all units. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-49185 CRITICAL
10.0 Jun 04

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) all

CVE-2026-49190 CRITICAL
9.4 Jun 04

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbit

CVE-2026-49194 CRITICAL
9.4 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router allows low-privileged remote attackers to reach a

CVE-2026-49191 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router's M3WebServer production build exposes hard-coded

CVE-2026-50214 CRITICAL
9.3 Jun 04

Authentication bypass in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows remote atta

CVE-2026-50209 CRITICAL
9.3 Jun 04

Privilege escalation via MDM endpoint hijack in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.0000

CVE-2026-50208 CRITICAL
9.2 Jun 04

Cryptographic weaknesses in the Acer Connect M6E 5G Portable WiFi Router (firmware versions through M6E_AI_1.00.000019)

CVE-2026-50205 HIGH
8.8 Jun 04

Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication p

CVE-2026-49202 HIGH
8.8 Jun 04

Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets re

CVE-2026-50211 HIGH
8.8 Jun 04

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow

CVE-2026-50225 HIGH
8.8 Jun 04

Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows r

CVE-2026-49187 HIGH
8.7 Jun 04

Information disclosure in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.0

Share

EUVD-2026-34212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy