The vulnerability arises from the FieldX Mobile Device Management service on Acer Connect M6E 5G routers, where inbound adb messaging payloads are forwarded directly to the operating system’s Runtime.exec() function without any form of validation or sanitization. This flaw is a classic command‑injection weakness (CWE‑78) that permits an attacker to execute arbitrary shell or native commands on the device, potentially compromising full system control. The impact includes the ability to alter router configuration, install persistent malware, or leverage the device as a pivot point for broader network attacks, thereby affecting confidentiality, integrity, and availability at the device level.

Acer Connect M6E 5G Portable WiFi Router is affected. No specific firmware versions are listed in the CNA data; however, the issue has been reported for all models relying on the FieldX MDM feature.

The CVSS score of 10 indicates critical severity, and the lack of an EPSS score means an estimated exploitation likelihood cannot be quantified, though the flaw’s nature suggests it is exploitable by an adversary with network access to the device’s MDM interface. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via network traffic to the device’s MDM messaging endpoint, and isolation or disabling of that endpoint could mitigate exposure.