Description
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
Published: 2026-06-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows callers to interact with critical cellular eSIM allocation endpoints without any authentication. As a result, an attacker could remotely rewrite or delete existing eSIM profiles, which can compromise the device’s connectivity and integrity of subscriber information. Because the flaw is an authentication bypass, it is classed as CWE-287.

Affected Systems

Acer’s Connect M6E 5G Portable WiFi Router is affected. No specific firmware or model version information is disclosed in the data provided.

Risk and Exploitability

The CVSS score of 7.2 indicates a high-risk condition. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker sending unauthenticated requests to the router’s management API over the network. If the API is exposed to external networks, the flaw can be exploited with minimal effort, enabling unauthorized eSIM configuration changes and potential denial of service for cellular connectivity.

Generated by OpenCVE AI on June 4, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied firmware or software update that closes the unauthenticated eSIM management API flaw.
  • Block or limit external traffic to the router’s management network segment, placing the device behind a firewall or in a dedicated administrative zone.
  • Disable or reconfigure remote eSIM endpoints to enforce authentication, or remove them entirely if they are not needed.

Generated by OpenCVE AI on June 4, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
Title Unauthenticated eSIM Configuration Manipulation
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:32:26.297Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49203

cve-icon Vulnrichment

Updated: 2026-06-04T12:32:22.903Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.723

Modified: 2026-06-04T19:38:23.497

Link: CVE-2026-49203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:00:12Z

Weaknesses