Description
Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
Published: 2026-05-29
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw in the MQTT broker of Acer Predator Connect W6x. It allows wildcard topic subscriptions, enabling unauthorized actors to observe or inject any MQTT messages. The weakness is a classic authorization error, classified as CWE-284, and can lead to significant confidentiality and integrity compromises when the broker is exposed to external networks.

Affected Systems

The affected product is the Acer Predator Connect W6x. Devices with firmware versions prior to the fixed release W6x_GBL_2.00.000008 are vulnerable, while later firmware includes the patch.

Risk and Exploitability

The CVSS score of 8.3 rates this flaw as high severity, indicating that exploitation could have a wide impact. Although the EPSS score is not available, the lack of a published KEV status suggests no publicly confirmed exploits yet. Based on the MQTT broker context, the likely attack vector is remote network access, where an attacker could connect to the broker and subscribe to the wildcard topic, thereby harvesting all message traffic.

Generated by OpenCVE AI on May 29, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Fixed on firmware version: W6x_GBL_2.00.000008

OpenCVE Recommended Actions

  • Update the firmware to version W6x_GBL_2.00.000008 or later.
  • Configure the MQTT broker to restrict topic subscriptions to authorized clients only.
  • Disable or remove any wildcard subscription settings in the broker configuration.

Generated by OpenCVE AI on May 29, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer predator Connect W6x
Vendors & Products Acer
Acer predator Connect W6x

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
Title Predator Connect W6x: MQTT Broker Access Control
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Acer Predator Connect W6x
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-05-29T11:15:34.673Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49198

cve-icon Vulnrichment

Updated: 2026-05-29T11:15:30.778Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T09:16:18.007

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-49198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:19Z

Weaknesses