How is CVE-2026-49194 exploited?

Network reachability (required): The attacker must reach the router's management interface over the network; the SCREEN_CLICK debugging routine is exposed as a network-accessible service. Authentication (required): A low-privilege account credential is sufficient to trigger the bypass; no administrative access is needed to invoke the vulnerable debugging routine. Victim interaction (not-required): No user or administrator action on the target device is needed; the attacker initiates the exploit entirely without victim participation. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required to successfully invoke the SCREEN_CLICK bypass.

What is the impact of CVE-2026-49194?

Attacker gains an interactive root-level shell on the router, with full read access to stored credentials, Wi-Fi passphrases, and device configuration. Attacker can modify routing tables, firewall rules, and DNS settings, redirecting or intercepting all traffic passing through the device. Attacker can crash or reboot the router, cutting off network connectivity for all clients depending on it. Compromise of the router's management plane extends to any connected network segments, enabling lateral movement into adjacent systems reachable through the device.

Back to search

CRITICALCVE-2026-49194Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49194: SCREEN_CLICK Authentication Bypass

The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects the Acer Connect M6E 5G Portable WiFi Router running firmware version M6E_AI_1.00.000019 and earlier. The flaw is reachable over the network and requires only a low-privilege account, allowing an attacker to invoke the SCREEN_CLICK(5053) debugging routine to skip the device login prompt entirely and drop into an interactive shell. Successful exploitation gives an attacker full control over the router, including reading, modifying, and disrupting all traffic and configuration handled by the device. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Acer publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-49194 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication by ingesting upstream feeds from Acer and coordinating CNAs. This coverage extends to custom-built images that bundle or depend on affected Acer firmware components, not just images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.4 (Critical) and weighting that score against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules for network-device or firmware image types.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's management interface over the network; the SCREEN_CLICK debugging routine is exposed as a network-accessible service.
AuthenticationRequired
A low-privilege account credential is sufficient to trigger the bypass; no administrative access is needed to invoke the vulnerable debugging routine.
Victim interactionNot required
No user or administrator action on the target device is needed; the attacker initiates the exploit entirely without victim participation.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required to successfully invoke the SCREEN_CLICK bypass.

Blast Radius

Attacker gains an interactive root-level shell on the router, with full read access to stored credentials, Wi-Fi passphrases, and device configuration.
Attacker can modify routing tables, firewall rules, and DNS settings, redirecting or intercepting all traffic passing through the device.
Attacker can crash or reboot the router, cutting off network connectivity for all clients depending on it.
Compromise of the router's management plane extends to any connected network segments, enabling lateral movement into adjacent systems reachable through the device.

How HarborGuard Handles This

Available on HarborGuard: because Acer has not yet published a fix version for CVE-2026-49194, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a full regression run and PR against affected workloads the moment a fix ships. In the interim, compensating controls worth evaluating include network-policy isolation to restrict access to the router's management interface to trusted source IPs only, egress filtering to limit what the device can reach if compromised, and disabling or firewalling any externally reachable management ports that expose the SCREEN_CLICK debugging routine. Given the Critical CVSS score of 9.4 and the absence of any authentication barrier beyond a low-privilege credential, prioritizing these controls in affected environments is strongly warranted until a vendor patch is available.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com

Metrics

Get notified