How is CVE-2026-49185 exploited?

Network reachability (required): The attacker must reach the device's adb messaging endpoint over the network; the AV:N vector means no local or physical access is needed. Authentication (not-required): No credentials or account of any privilege level are required to deliver the malicious payload. Victim interaction (not-required): The attack is entirely server-side; no user on the target device needs to click, open, or approve anything. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory-layout dependencies, or special environmental factors need to be satisfied (AC:L, AT:N).

What is the impact of CVE-2026-49185?

The attacker executes arbitrary OS commands as the process owner of the MDM runtime, gaining a shell on the router. All data stored on or transiting the device is readable, including credentials, VPN configurations, and connected-client traffic metadata. The attacker can modify device configuration, inject routing rules, or install persistent backdoors affecting every client on the WiFi segment. The device can be crashed or rendered inoperable, disrupting network connectivity for all clients relying on the router for 5G access.

Back to search

CRITICALCVE-2026-49185Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49185: Instruction Injection via FieldX MDM

The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Acer FieldX MDM component of the Connect M6E 5G Portable WiFi Router allows a remote, unauthenticated attacker to execute arbitrary operating system commands by sending a crafted payload to the adb messaging topic, which is passed without sanitization directly into Runtime.exec(). The attack requires no authentication and no victim interaction, making it exploitable by anyone who can reach the device over the network. Successful exploitation gives the attacker full control over the device, including read, write, and denial-of-service capabilities on both the local system and dependent network services. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-49185 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate the affected FieldX MDM component. Any image carrying a version of the Acer Connect M6E firmware package at or below M6E_AI_1.00.000019 is flagged automatically during pipeline scans and registry sweeps.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and weights it against each customer environment's compliance policy to determine urgency and escalation path. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a corrected version. In the interim, customers with auto-remediation enabled will receive compensating-control recommendations and can configure network-policy isolation rules through the HarborGuard policy engine to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's adb messaging endpoint over the network; the AV:N vector means no local or physical access is needed.
AuthenticationNot required
No credentials or account of any privilege level are required to deliver the malicious payload.
Victim interactionNot required
The attack is entirely server-side; no user on the target device needs to click, open, or approve anything.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory-layout dependencies, or special environmental factors need to be satisfied (AC:L, AT:N).

Blast Radius

The attacker executes arbitrary OS commands as the process owner of the MDM runtime, gaining a shell on the router.
All data stored on or transiting the device is readable, including credentials, VPN configurations, and connected-client traffic metadata.
The attacker can modify device configuration, inject routing rules, or install persistent backdoors affecting every client on the WiFi segment.
The device can be crashed or rendered inoperable, disrupting network connectivity for all clients relying on the router for 5G access.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-49185 is tracked continuously with no upstream fix currently available. On every ingest cycle, HarborGuard re-evaluates the advisory against published vendor guidance and will trigger patched-image rebuild availability and, for customers with auto-remediation enabled, a full rebuild plus regression run plus PR opened against affected workloads the moment Acer publishes a fix. While no patch exists, customers can use HarborGuard's network-policy tooling to generate isolation rules that restrict inbound access to the adb messaging interface, apply egress filtering to limit lateral movement from a compromised device, and flag any image carrying the affected firmware version as blocked in deployment gates. Compensating controls are available for configuration directly from the CVE detail panel in the HarborGuard dashboard.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com

Metrics

Get notified