Description
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation.
Published: 2026-06-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from leftover debug modules that contain fixed credentials for internal AWS Cognito test sandboxes. These credentials are hard‑coded within the router firmware, meaning anyone who can access the modules can obtain valid account credentials. The direct consequence is that an attacker could use the exposed AWS Cognito accounts to access or manipulate data stored behind the Cognito service, potentially leading to unauthorized data exposure or modification. The weakness is categorized as CWE‑798, which describes the use of hard‑coded credentials.

Affected Systems

The affected device is the Acer Connect M6E 5G Portable WiFi Router. No specific firmware versions are listed in the advisory, so all firmware releases that include the debug modules are potentially vulnerable until a patch is issued.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the medium range, reflecting a significant risk if exploited. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through local or remote access to the router’s debug interface, which would allow an attacker to read the hard‑coded credentials. Because the credentials are not rotated, the exploitation is straightforward once the attacker gains access, underscoring the importance of immediate firmware remediation.

Generated by OpenCVE AI on June 4, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version released by Acer, which should remove debug modules and hard‑coded credentials.
  • Disable or delete the debug modules that expose the fixed AWS Cognito credentials if you cannot immediately update the firmware.
  • Rotate or revoke any AWS Cognito test account credentials that may still be in use, ensuring that only authorized accounts have access to the Cognito service.

Generated by OpenCVE AI on June 4, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer connect M6e 5g Portable Wifi Router
Vendors & Products Acer connect M6e 5g Portable Wifi Router

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation.
Title Hard-coded AWS Cognito Testing Accounts
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware Connect M6e 5g Portable Wifi Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:40:26.271Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49204

cve-icon Vulnrichment

Updated: 2026-06-04T12:40:22.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.873

Modified: 2026-06-04T19:35:01.937

Link: CVE-2026-49204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:58Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials