Description
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
Published: 2026-06-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incoming VPN network profile settings in the Acer Connect M6E 5G Portable WiFi Router do not handle special characters safely, allowing an attacker to inject arbitrary commands through malicious configuration files. This weakness, classified as CWE‑78, could enable the execution of any command with the privileges of the router, leading to full compromise of the device.

Affected Systems

The vulnerability affects the Acer Connect M6E 5G Portable WiFi Router. No specific firmware revisions are listed, so all current releases of this model are potentially impacted unless a later firmware patch has been issued.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, so the probability of exploitation remains uncertain, and the vulnerability is not listed in the CISA KEV catalog. The text does not explicitly state the attack vector, but it is inferred that an attacker would have to supply a crafted VPN profile file to the router, which could be achieved by authorized administrative access or by intercepting VPN traffic in environments where unauthorized configuration changes are possible. Once a malicious profile is applied, the attacker can run arbitrary commands on the device.

Generated by OpenCVE AI on June 4, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version released by Acer that addresses the command‑injection flaw.
  • If a firmware update is not available, disable the ability for users to upload or modify VPN configuration profiles, or restrict this capability to trusted administrators only.
  • Audit the router’s configuration files to ensure no unauthorized or malformed VPN profiles are present and remove any that have been identified as suspicious.

Generated by OpenCVE AI on June 4, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer connect M6e 5g Portable Wifi Router
Vendors & Products Acer connect M6e 5g Portable Wifi Router

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
Title VPN Command Injection Vulnerability
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware Connect M6e 5g Portable Wifi Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:24:42.537Z

Reserved: 2026-06-04T01:29:10.111Z

Link: CVE-2026-50206

cve-icon Vulnrichment

Updated: 2026-06-04T12:24:38.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:28.177

Modified: 2026-06-04T19:16:36.770

Link: CVE-2026-50206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:54Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')