How is CVE-2026-49199 exploited?

Network reachability (required): The attacker must reach the device's MQTT listener over the network (AV:N). Authentication (not-required): No credentials are needed; the MQTT message handler accepts the crafted payload unauthenticated (PR:N). Victim interaction (not-required): No user action is needed on the device side; the attacker sends the message directly (UI:N). Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions or environmental factors.

What is the impact of CVE-2026-49199?

Executes arbitrary commands as root on the Predator Connect W6x, giving full control of the device's operating system. Reads, modifies, or deletes any configuration, credentials, and traffic data stored on or passing through the router. Disrupts or disables routing and connectivity for every client behind the device, and can pivot to attack other systems on the LAN. Impacts extend beyond the device itself (SC:H/SI:H/SA:H), so a compromised router can be used to tamper with downstream hosts and services.

Back to search

CRITICALCVE-2026-49199Published 2026-05-29Modified 2026-05-29CNA Acer

CVE-2026-49199: Predator Connect W6x: RCE via MQTT

Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a command injection vulnerability in the Acer Predator Connect W6x router that can be reached over the network through its MQTT message handler. An unauthenticated attacker who can send crafted MQTT messages to the device triggers shell command execution and gains root-level code execution, fully compromising the device. No fix has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment Acer ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle Predator Connect W6x firmware or related components. Matches are flagged on the next scan cycle for any affected workload.

Available

Triage

Triage is available with the published CVSS v4.0 score of 10.0 (critical), weighted against each customer organization's compliance policy so internet-exposed and IoT-adjacent workloads escalate ahead of isolated ones. Findings are routed to the appropriate inbox inside each customer org based on image ownership and policy tags.

Available

Patch

No upstream fix has been published yet, so HarborGuard re-checks the Acer advisory on each ingest cycle and will make a patched-image rebuild available the moment a fixed firmware version ships. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and a PR against affected workloads automatically once the fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's MQTT listener over the network (AV:N).
AuthenticationNot required
No credentials are needed; the MQTT message handler accepts the crafted payload unauthenticated (PR:N).
Victim interactionNot required
No user action is needed on the device side; the attacker sends the message directly (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions or environmental factors.

Blast Radius

Executes arbitrary commands as root on the Predator Connect W6x, giving full control of the device's operating system.
Reads, modifies, or deletes any configuration, credentials, and traffic data stored on or passing through the router.
Disrupts or disables routing and connectivity for every client behind the device, and can pivot to attack other systems on the LAN.
Impacts extend beyond the device itself (SC:H/SI:H/SA:H), so a compromised router can be used to tamper with downstream hosts and services.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Acer advisory for this CVE, with automatic rebuild availability the moment a fixed firmware version is published upstream. In the meantime, the platform surfaces compensating-control suggestions for affected environments, such as blocking inbound MQTT (typically TCP 1883/8883) at the network edge, restricting the MQTT listener to a management VLAN or VPN, and adding egress filtering to limit what a compromised device can reach. For customers who opt into auto-remediation, the patched-image rebuild, regression-test run, and PR against affected workloads will fire automatically once Acer ships the fix.

See how HarborGuard automates this

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Acer / Predator Connect W6x
≤ *

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com