Description
Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
Published: 2026-06-04
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unchecked public access permissions on a core Broadcast Receiver allow local software components to trigger administrative operations without proper authorization. This flaw can be leveraged to gain elevated privileges on the device, enabling an attacker to perform functions normally available only to the device’s administrative tenant. The primary consequence is local privilege escalation, potentially leading to total device compromise.

Affected Systems

Acer Connect M6E 5G Portable WiFi Router is the affected product. No specific firmware versions are listed in the advisory, so all current releases should be considered susceptible until a patch is released.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity for local privilege escalation. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. The attack vector is inferred to be local; an attacker must execute code or otherwise invoke the broadcast on the target device. Once triggered, the malicious component can perform privileged administrative actions, potentially disabling the router, reconfiguring it, or accessing sensitive network traffic.

Generated by OpenCVE AI on June 4, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version that includes a fix for the broadcast receiver permission issue.
  • If an update is not immediately available, restrict or disable the broadcast receiver functionality through the device’s configuration interface to prevent unauthorized invocations.
  • Ensure that only authenticated and authorized applications can access system broadcast mechanisms by reviewing and tightening local security settings and logs.

Generated by OpenCVE AI on June 4, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
Title Broadcast Receiver Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T05:23:10.183Z

Reserved: 2026-05-28T02:46:15.560Z

Link: CVE-2026-49189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T06:16:24.837

Modified: 2026-06-04T06:16:24.837

Link: CVE-2026-49189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:30:07Z

Weaknesses