Description
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
Published: 2026-06-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Broadcast events on the device allow a malicious application to overwrite the default Mobile Device Management endpoint address, effectively changing who controls the device. This flaw enables an attacker to gain full administrative rights, including policy enforcement, firmware updates, and data access, resulting in loss of device integrity and confidentiality. The weakness corresponds to missing or ineffective authorization controls (CWE‑732).

Affected Systems

Acer Connect M6E 5G Portable WiFi Router. No version details were supplied; the vulnerability applies to all affected units of this model with the current firmware stack.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the vulnerability is listed as not yet in the CISA KEV catalog. The exploitation likelihood is high for an attacker who can generate or modify broadcast events targeting the device, as no specific mitigation is required to trigger the flaw. Absence of an EPSS value precludes an exact estimate but the combination of remote denial of proper MDM control and the straightforward manipulation mechanism makes the risk significant.

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Acer that resolves the default MDM endpoint overwrite vulnerability
  • Limit or disable the device’s broadcast event handling for configuration changes to reduce the window of opportunity for replay attacks
  • Configure network-level isolation or firewall rules to block unsolicited broadcast traffic that could target the device’s MDM interface

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
Title MDM Server Registration Overriding
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T07:17:54.018Z

Reserved: 2026-06-04T01:29:10.112Z

Link: CVE-2026-50209

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T09:16:29.423

Modified: 2026-06-04T09:16:29.423

Link: CVE-2026-50209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:30:10Z

Weaknesses