Connect M6e 5g Firmware
by Acer
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50214 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. | ||
| CVE-2026-50211 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | ||
| CVE-2026-49191 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. | ||
| CVE-2026-49188 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. | ||
| CVE-2026-49186 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands. | ||
| CVE-2026-49185 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. | ||
| CVE-2026-50208 | Cri | 0.61 | 9.4 | 0.00 | Jun 4, 2026 | High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic. | ||
| CVE-2026-50225 | Cri | 0.59 | 9.1 | 0.00 | Jun 4, 2026 | The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. | ||
| CVE-2026-49194 | Hig | 0.57 | 8.8 | 0.00 | Jun 4, 2026 | The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface. | ||
| CVE-2026-49190 | Hig | 0.57 | 8.8 | 0.00 | Jun 4, 2026 | The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions. | ||
| CVE-2026-50205 | Hig | 0.53 | 8.2 | 0.00 | Jun 4, 2026 | System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data. | ||
| CVE-2026-50209 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2026 | Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker. | ||
| CVE-2026-50207 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2026 | The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity. | ||
| CVE-2026-49189 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2026 | Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations. | ||
| CVE-2026-50213 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings. | ||
| CVE-2026-50210 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption. | ||
| CVE-2026-49193 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet. | ||
| CVE-2026-49187 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse. | ||
| CVE-2026-50206 | Med | 0.44 | 6.8 | 0.01 | Jun 4, 2026 | Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files. | ||
| CVE-2026-50212 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service. |
- risk 0.64cvss 9.8epss 0.00
The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.
- risk 0.64cvss 9.8epss 0.00
Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.
- risk 0.64cvss 9.8epss 0.00
The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
- risk 0.64cvss 9.8epss 0.00
The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands.
- risk 0.64cvss 9.8epss 0.00
The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.
- risk 0.64cvss 9.8epss 0.00
The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection.
- risk 0.61cvss 9.4epss 0.00
High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.
- risk 0.59cvss 9.1epss 0.00
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
- risk 0.57cvss 8.8epss 0.00
The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
- risk 0.57cvss 8.8epss 0.00
The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
- risk 0.53cvss 8.2epss 0.00
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.
- risk 0.51cvss 7.8epss 0.00
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
- risk 0.51cvss 7.8epss 0.00
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.
- risk 0.51cvss 7.8epss 0.00
Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
- risk 0.49cvss 7.5epss 0.00
The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.
- risk 0.49cvss 7.5epss 0.00
The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.
- risk 0.49cvss 7.5epss 0.00
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
- risk 0.49cvss 7.5epss 0.00
The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.
- risk 0.44cvss 6.8epss 0.01
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
- risk 0.42cvss 6.5epss 0.00
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
Page 1 of 2