HarborGuard / CVE
Back to search
HIGHCVE-2026-49198Published Modified CNA Acer

CVE-2026-49198: Predator Connect W6x: MQTT Broker Access Control

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Improper access control in the MQTT broker on the Acer Predator Connect W6x lets any authenticated client subscribe to wildcard topics and read every message flowing through the broker. The flaw is reachable over the network and only requires a low-privilege MQTT account, with successful exploitation exposing all MQTT traffic, including data from other tenants and devices, to the attacker. No fixed version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against firmware and container images in customer registries and CI pipelines, including custom-built images that embed Predator Connect W6x components.

Available
Triage

Triage is available with the published CVSS v4.0 score of 8.3 (High) applied and weighted against each customer organization's compliance policy, then routed to the appropriate inbox inside the customer org so the right owners see it.

Available
Patch

With no upstream fix published, HarborGuard re-checks the Acer advisory each ingest cycle and will make a patched image rebuild available the moment a fixed firmware or component version ships, with auto-remediation customers getting an automated rebuild, regression run, and PR against affected workloads at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MQTT broker over the network on its listening port.

  • AuthenticationRequired

    A low-privilege MQTT account is sufficient; no admin role is needed.

  • Victim interactionNot required

    Exploitation is entirely attacker-driven and does not require any user action.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring only a wildcard topic subscription.

Blast Radius

  • Reads every MQTT message published through the broker, including topics belonging to other devices and tenants.
  • Harvests credentials, device telemetry, and command payloads that transit the broker in cleartext.
  • Expands disclosure beyond the vulnerable component, since broker traffic typically carries data from connected systems and downstream services.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Acer advisory for a fixed version, with the CVE flagged on any image that ships Predator Connect W6x components. While no upstream patch exists, HarborGuard surfaces compensating-control suggestions such as restricting MQTT broker exposure with network policy, enforcing per-client ACLs that deny wildcard subscriptions, isolating the broker behind VPN or mTLS, and gating affected device integrations behind a feature flag. The moment Acer publishes a fix, a patched image rebuild becomes available automatically, and environments with auto-remediation enabled receive a rebuild, regression run, and PR opened against affected workloads.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.3
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Acer / Predator Connect W6x
    ≤ *
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
References