Description
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A security weakness in the configuration of cloud storage containers lets anyone on the internet read telemetry data that should have remained confidential. The flaw is an information exposure vulnerability (CWE-200) that allows disclosure of potentially sensitive device operation metrics. No code execution or direct system compromise is possible, but exposed data could aid adversaries in reconnaissance or planning subsequent attacks.

Affected Systems

The vulnerability affects the Acer Connect M6E 5G Portable WiFi Router. Users who rely on the default or legacy firmware that does not restrict access to the cloud storage containers are at risk. The vendor may offer firmware updates that tighten or correct bucket policies.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV, but the lack of those metrics does not reduce risk. Based on the title, it is inferred that the cloud storage is AWS S3 buckets, which can be accessed via standard HTTP requests if public read permission is enabled. Attackers require no special privileges and can retrieve the telemetry data simply by targeting the public endpoint. The vulnerability can be exploited whenever any Internet user can reach the container.

Generated by OpenCVE AI on June 4, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Acer firmware update that addresses public access settings for telemetry storage.
  • Restrict the cloud storage container’s access control to allow read access only to the intended identity and deny all other principals.
  • Enable block public access on the storage container to prevent world-readable permissions.

Generated by OpenCVE AI on June 4, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
Title Publicly Readable AWS S3 Telemetry Buckets
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:34:54.060Z

Reserved: 2026-05-28T02:46:15.561Z

Link: CVE-2026-49193

cve-icon Vulnrichment

Updated: 2026-06-04T12:34:49.919Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.297

Modified: 2026-06-04T19:38:59.963

Link: CVE-2026-49193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:00:12Z

Weaknesses