The vulnerability resides in the account validation endpoint /v1/User/validate, which returns a full user profile sheet containing private details. The endpoint appears to lack sufficient authentication or access controls; based on the description, it can be queried with predictable identifiers, allowing an attacker to harvest sensitive data from many user accounts. This results in a mass exposure of confidential user information, compromising the confidentiality of all individuals who use the router.

The only affected system identified is the Acer Connect M6E 5G Portable WiFi Router. No specific firmware versions are listed in the CVE data; users should verify whether their router firmware includes the vulnerability. The Acer community article linked in the references confirms the existence of the issue on this hardware platform. No other vendors or products are mentioned.

The CVSS score of 8.7 classifies the issue as high severity. EPSS data is not available, so the exploitation probability cannot be quantified. The attack vector is network-based; any user who can send HTTP requests to the router can potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed live attacks, but the potential for mass data exposure remains a significant risk. Exfiltration occurs simply by requesting the endpoint across a range of account identifiers and capturing the returned data, requiring no special privileges beyond network connectivity to the device.