How is CVE-2026-49188 exploited?

Network reachability (info): The attacker must be on an adjacent network (local LAN, Wi-Fi segment, or VPN) to reach the ai_cmd socket interface; remote internet-based access is not required but physical co-location on the same network segment is. Authentication (not-required): No credentials are required; the ai_cmd socket interface accepts input from unauthenticated users. Victim interaction (not-required): No victim interaction is needed; the attacker sends socket input directly to the vulnerable service without any user action on the target device. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-49188?

The attacker executes arbitrary commands as root on the router, gaining full administrative control over the device firmware and OS. The attacker can read all data stored or transiting the device, including Wi-Fi credentials, DHCP leases, and connected-client information. The attacker can modify router configuration, redirect DNS, or inject traffic rules, affecting all devices on the network segment served by the router. The attacker can crash or reboot the router, disrupting network connectivity for all clients depending on it.

Back to search

HIGHCVE-2026-49188Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49188: Elevated Root Command Execution via ai_cmd Sockets

The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated command injection vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). The ai_cmd utility runs as root and passes socket input directly to popen() without sanitization, allowing any attacker on an adjacent network to inject arbitrary shell commands with no credentials required. Successful exploitation gives the attacker full root-level command execution on the device. No fix version has been published; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built firmware or embedded-Linux images derived from affected Acer packages. Any image carrying an affected firmware version will be flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.7 (High) and is capable of weighting that score against each customer environment's compliance policy to adjust priority and route alerts to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream vendor ships a corrected firmware release. Customers with auto-remediation enabled will have a rebuild triggered, a regression test run, and a PR opened against affected workloads automatically once a fix version appears.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network (local LAN, Wi-Fi segment, or VPN) to reach the ai_cmd socket interface; remote internet-based access is not required but physical co-location on the same network segment is.
AuthenticationNot required
No credentials are required; the ai_cmd socket interface accepts input from unauthenticated users.
Victim interactionNot required
No victim interaction is needed; the attacker sends socket input directly to the vulnerable service without any user action on the target device.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

The attacker executes arbitrary commands as root on the router, gaining full administrative control over the device firmware and OS.
The attacker can read all data stored or transiting the device, including Wi-Fi credentials, DHCP leases, and connected-client information.
The attacker can modify router configuration, redirect DNS, or inject traffic rules, affecting all devices on the network segment served by the router.
The attacker can crash or reboot the router, disrupting network connectivity for all clients depending on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49188 is active and will flag any image in a customer registry or build pipeline that carries an affected version of the Acer Connect M6E 5G firmware. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment Acer publishes a corrected firmware version. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation of the router management interface to trusted VLANs only, egress filtering to limit what commands the device can initiate outbound, and disabling any non-essential socket-exposed services at the firmware level where the platform permits.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified