How is CVE-2026-49187 exploited?

Network reachability (required): The vulnerable service is exposed over the network, meaning an attacker must be able to reach it remotely with no requirement for physical or adjacent-network access. Authentication (not-required): No credentials or prior account access are needed; the hard-coded resource files and shared scepter are accessible to any unauthenticated caller. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from a legitimate user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions to succeed.

What is the impact of CVE-2026-49187?

Attacker reads hard-coded APK resource credentials that never expire, gaining persistent access to the exposed authentication material. Attacker obtains the shared scepter token and can reuse it to impersonate authorized clients or access protected router functionality. Exposed credentials may be leveraged to enumerate router configuration details, including connected device information or network topology.

Back to search

HIGHCVE-2026-49187Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49187: Hard-coded APK Resource Credentials & Scepters

The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A hard-coded credentials vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). The flaw is reachable over the network with no authentication required, exposing APK resource credentials and shared scepter tokens that never expire. Successful exploitation gives an attacker read access to sensitive configuration or authentication material, enabling information disclosure and potential misuse of the exposed credentials. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Acer publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49187 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Acer firmware layers.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) and surfaces it with per-environment compliance policy weighting to prioritize routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by Acer for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation and egress filtering for affected router management interfaces are available for review in the HarborGuard remediation guidance panel.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service is exposed over the network, meaning an attacker must be able to reach it remotely with no requirement for physical or adjacent-network access.
AuthenticationNot required
No credentials or prior account access are needed; the hard-coded resource files and shared scepter are accessible to any unauthenticated caller.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from a legitimate user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions to succeed.

Blast Radius

Attacker reads hard-coded APK resource credentials that never expire, gaining persistent access to the exposed authentication material.
Attacker obtains the shared scepter token and can reuse it to impersonate authorized clients or access protected router functionality.
Exposed credentials may be leveraged to enumerate router configuration details, including connected device information or network topology.

How HarborGuard Handles This

Available on HarborGuard: because Acer has not yet published a fix for CVE-2026-49187, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch exists, the HarborGuard remediation guidance panel surfaces compensating controls including network-policy isolation to restrict access to the router management interface, egress filtering to limit lateral reuse of leaked credentials, and feature-flag gating where applicable. The CVE is flagged at HIGH severity (CVSS 8.7) so it surfaces at the top of affected-image queues and routes to the appropriate team inbox based on each organization's configured ownership policy.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified