Acer: Five Vulnerabilities Disclosed Together, Including Two Critical Flaws
Acer patched five vulnerabilities on June 4, 2026, including two critical command injection flaws and three high/medium severity issues across several applications.
Key findings
- Five Acer vulnerabilities disclosed on June 4, 2026, including critical flaws.
- Critical command injection vulnerabilities found in FieldX MDM and M3WebServer.
- High-severity flaws in
ai_cmdand VPN profile handling allow root command execution. - Medium-severity issue in AcerConnect OTA could lead to credential forgery.
- Vulnerabilities span command injection, credential forging, and arbitrary code execution.
Acer addressed a cluster of five security vulnerabilities on June 4, 2026, with disclosures spanning a six-hour window. The batch includes two critical, two high, and one medium severity flaw affecting various Acer applications and utilities, highlighting potential risks for users of the affected products.
The most severe issues include a critical command injection vulnerability in the FieldX MDM application (CVE-2026-49185) and another critical flaw in the M3WebServer, which hard-codes backend API keys that can be intercepted via verbose error handling (CVE-2026-49191). These vulnerabilities could allow unauthenticated attackers to gain significant control over affected systems or access sensitive credentials.
Further compounding the risk, two high-severity vulnerabilities were also disclosed. CVE-2026-49188, found in the ai_cmd utility, allows unauthenticated users to execute arbitrary root commands by piping socket inputs directly to popen(). Additionally, CVE-2026-50206 involves a command injection vulnerability stemming from unsafe processing of special characters in incoming VPN network profile settings.
A medium-severity vulnerability, CVE-2026-50226, affects the AcerConnect OTA application. This flaw involves fixed AES-128-CBC keys that could enable attackers to forge authorization credentials for arbitrary IMEI numbers, potentially leading to the listing of catalog items and the extraction of protected binaries.
Details regarding specific affected versions and patch availability were not immediately detailed in the initial disclosures for all CVEs. However, the simultaneous disclosure suggests a coordinated effort by Acer's security team to address these issues. Users are strongly advised to consult Acer's official security advisories for the most up-to-date information on affected products and recommended actions.
This batch of vulnerabilities underscores the importance of regular security updates for all software, especially for system utilities and applications handling sensitive data or network configurations. The presence of critical command injection flaws highlights the ongoing threat landscape and the need for diligent patch management.