Description
The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.
Published: 2026-06-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves hard‑coded APK resource files that never expire and a shared scepter, allowing information leaks and potential misuse of the credentials stored in the router. This flaw directly exposes sensitive data and credentials, enabling attackers to obtain information that should be protected, in line with CWE‑200. No further exploitation mechanisms are described in the CVE entry.

Affected Systems

The affected product is the Acer Connect M6E 5G Portable WiFi Router. No specific firmware version is listed, so all current and prior releases may be impacted until a patch is issued.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS value is not available, and the issue is not in the CISA KEV catalog, suggesting no publicly known exploits at this time. Based on the description, the likely attack vector is local network access to the router, where an attacker can download or read the hard‑coded APK files to extract credentials. Since there is no official patch listed, the risk remains until the vendor releases a firmware update that removes the hard‑coded resources.

Generated by OpenCVE AI on June 4, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available firmware update from Acer that removes hard‑coded credentials.
  • Disable or delete the compromised APK resource files from the router’s storage.
  • Restrict network access to the router, for example by segmenting it behind a firewall and disabling unnecessary management services.

Generated by OpenCVE AI on June 4, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.
Title Hard-coded APK Resource Credentials & Scepters
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T03:50:11.957Z

Reserved: 2026-05-28T02:46:15.560Z

Link: CVE-2026-49187

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T06:16:24.290

Modified: 2026-06-04T06:16:24.290

Link: CVE-2026-49187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:30:07Z

Weaknesses