Description
The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
Published: 2026-06-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a failure to enforce instruction‑level authorization checks, allowing an attacker to inject privileged operation codes. The flaw permits the installation of unauthorized applications or arbitrary command execution, compromising the router's integrity and potentially enabling remote control of the device. This constitutes a high‑severity flaw that violates the principle of least privilege.

Affected Systems

Vulnerable hardware consists of Acer's Connect M6E 5G Portable WiFi Router. No specific firmware version information was provided in the advisory.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical impact, and the lack of an EPSS score means we cannot estimate current exploitation probability. The vulnerability is not listed in CISA's KEV catalog. An attacker could potentially trigger the bug through network traffic or a remote management interface, as no restriction on opcode execution is enforced. The absence of built-in authorization checks gives the attacker the ability to bypass normal security controls, making the attack path relatively straightforward if the device is reachable.

Generated by OpenCVE AI on June 4, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Acer that addresses the instruction‑level authorization issue.
  • Disable remote management features, such as Telnet, SSH, or web administration, unless absolutely necessary.
  • Restrict access to the router to trusted IP ranges and enforce strong passwords.
  • Monitor network traffic for anomalous command patterns that could indicate exploitation attempts.

Generated by OpenCVE AI on June 4, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
Title Missing Per-Instruction Authorization Checks
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:40:01.075Z

Reserved: 2026-05-28T02:46:15.560Z

Link: CVE-2026-49190

cve-icon Vulnrichment

Updated: 2026-06-04T12:39:57.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:26.860

Modified: 2026-06-04T19:39:49.427

Link: CVE-2026-49190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T08:30:09Z

Weaknesses