Description
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
Published: 2026-06-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Broadcast events on the device allow a malicious application to overwrite the default Mobile Device Management endpoint address, effectively changing who controls the device. This flaw enables an attacker to gain full administrative rights, including policy enforcement, firmware updates, and data access, resulting in loss of device integrity and confidentiality. The weakness corresponds to missing or ineffective authorization controls (CWE‑732).

Affected Systems

Acer Connect M6E 5G Portable WiFi Router. No version details were supplied; the vulnerability applies to all affected units of this model with the current firmware stack.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the vulnerability is listed as not yet in the CISA KEV catalog. The exploitation likelihood is high for an attacker who can generate or modify broadcast events targeting the device, as no specific mitigation is required to trigger the flaw. Absence of an EPSS value precludes an exact estimate but the combination of remote denial of proper MDM control and the straightforward manipulation mechanism makes the risk significant.

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Acer that resolves the default MDM endpoint overwrite vulnerability
  • Limit or disable the device’s broadcast event handling for configuration changes to reduce the window of opportunity for replay attacks
  • Configure network-level isolation or firewall rules to block unsolicited broadcast traffic that could target the device’s MDM interface

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer connect M6e 5g Portable Wifi Router
Vendors & Products Acer connect M6e 5g Portable Wifi Router

Thu, 04 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
Title MDM Server Registration Overriding
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware Connect M6e 5g Portable Wifi Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:42:20.011Z

Reserved: 2026-06-04T01:29:10.112Z

Link: CVE-2026-50209

cve-icon Vulnrichment

Updated: 2026-06-04T12:42:16.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T09:16:29.423

Modified: 2026-06-04T19:14:14.010

Link: CVE-2026-50209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:49Z

Weaknesses
  • CWE-732

    Incorrect Permission Assignment for Critical Resource