How is CVE-2026-49189 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerable Broadcast Receiver. Authentication (required): A low-privilege local account or application context is sufficient; no administrator credentials are needed to invoke the unprotected administrative operations. Victim interaction (not-required): No user action is required; the attacker can invoke the Broadcast Receiver directly without any victim interaction. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout dependencies.

What is the impact of CVE-2026-49189?

Reads sensitive device configuration data and stored credentials accessible through the exposed administrative interface. Modifies device settings, network configurations, and administrative state without authorization. Crashes or disrupts the router service, causing loss of connectivity for all clients depending on the device. Gains persistent administrative control over the device by abusing the unrestricted Broadcast Receiver to install or activate further payloads.

Back to search

HIGHCVE-2026-49189Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49189: Broadcast Receiver Privilege Escalation

Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability affects the Acer Connect M6E 5G Portable WiFi Router firmware (versions up to and including M6E_AI_1.00.000019). A core Broadcast Receiver component exposes administrative operations without enforcing access controls, allowing any local application or process on the device to invoke them without elevated privileges. Successful exploitation gives an attacker full control over device administration functions, including confidentiality, integrity, and availability of the system. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Acer publishes a fix version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected firmware layers. Any image carrying the vulnerable Acer Connect M6E 5G firmware version is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.5 (High) and weighting it against each environment's compliance policy to determine priority and routing. Triage results are available for delivery to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerable Broadcast Receiver.
AuthenticationRequired
A low-privilege local account or application context is sufficient; no administrator credentials are needed to invoke the unprotected administrative operations.
Victim interactionNot required
No user action is required; the attacker can invoke the Broadcast Receiver directly without any victim interaction.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout dependencies.

Blast Radius

Reads sensitive device configuration data and stored credentials accessible through the exposed administrative interface.
Modifies device settings, network configurations, and administrative state without authorization.
Crashes or disrupts the router service, causing loss of connectivity for all clients depending on the device.
Gains persistent administrative control over the device by abusing the unrestricted Broadcast Receiver to install or activate further payloads.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is active across all scanning environments, flagging images built on affected Acer Connect M6E 5G firmware (M6E_AI_1.00.000019 and below) as soon as they appear in a registry or pipeline. Because Acer has not yet published a fix, no patched rebuild is currently available; HarborGuard monitors the advisory on every ingest cycle and will trigger a rebuild automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict which processes can communicate with or alongside the device, egress filtering to limit what an exploiting process can reach, and feature-flag gating on any application layers that interact with the router's administrative interface.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified