The vulnerability stems from leftover debug modules that contain fixed credentials for internal AWS Cognito test sandboxes. These credentials are hard‑coded within the router firmware, meaning anyone who can access the modules can obtain valid account credentials. The direct consequence is that an attacker could use the exposed AWS Cognito accounts to access or manipulate data stored behind the Cognito service, potentially leading to unauthorized data exposure or modification. The weakness is categorized as CWE‑798, which describes the use of hard‑coded credentials.

The affected device is the Acer Connect M6E 5G Portable WiFi Router. No specific firmware versions are listed in the advisory, so all firmware releases that include the debug modules are potentially vulnerable until a patch is issued.

The CVSS score of 6.9 places the vulnerability in the medium range, reflecting a significant risk if exploited. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through local or remote access to the router’s debug interface, which would allow an attacker to read the hard‑coded credentials. Because the credentials are not rotated, the exploitation is straightforward once the attacker gains access, underscoring the importance of immediate firmware remediation.