HarborGuard / CVE
Back to search
HIGHCVE-2026-49195Published Modified CNA Acer

CVE-2026-49195: Predator Connect W6x: unauthenticated Debug Service

Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthenticated debug service on the Acer Predator Connect W6x router exposes the /sbin/mtk_dut binary on TCP port 9000, letting any attacker on the local network issue arbitrary UCC commands without credentials. The flaw is reachable from the adjacent LAN with no authentication and no user interaction, and successful exploitation yields full read, write, and disruption capability on the device. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines. Coverage extends to custom-built images, including firmware-derived container artifacts that ship the affected mtk_dut binary.

Available
Triage

Triage is available with the CVSS v4.0 score of 8.7 (HIGH) attached to each finding and weighted against per-environment compliance policy, so network-exposed device images can be escalated above library-only matches. Findings route to the appropriate inbox inside each customer org based on ownership metadata.

Available
Patch

No upstream fix is currently published. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer ships a fixed firmware or package, with auto-remediation customers receiving a rebuild, regression run, and PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    Exploitation requires adjacent-network access, meaning the attacker must be on the same LAN or VPN segment as the router.

  • AuthenticationNot required

    The debug service on TCP port 9000 accepts commands with no credentials of any kind.

  • Victim interactionNot required

    The attacker connects directly to the exposed port; no user action on the device is needed.

  • Attack complexityDetail

    Attack complexity is low: the service is reliably reachable and accepts UCC commands without environmental preconditions.

Blast Radius

  • Executes arbitrary UCC commands on the router, giving the attacker control over device behavior and configuration.
  • Reads sensitive device state and traffic-handling data exposed through the debug interface.
  • Modifies router configuration and persisted settings, enabling traffic redirection or persistent backdoors.
  • Disrupts routing and connectivity for every client on the LAN by crashing or reconfiguring the service.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Acer advisory with automatic ingestion the moment a fixed version is published, at which point a patched-image rebuild becomes available and auto-remediation customers receive a rebuild, regression run, and PR opened against affected workloads. In the meantime, HarborGuard surfaces compensating-control suggestions for affected environments, including network-policy isolation of management interfaces, blocking inbound TCP/9000 at the LAN boundary, and egress filtering to limit lateral movement from any compromised device.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Acer / Predator Connect W6x
    ≤ *
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
References