CVE-2026-49203: Unauthenticated eSIM Configuration Manipulation
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
Metrics
- CVSS v4.0
- 7.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authentication bypass vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). An attacker on the same network can reach the management API without any credentials and rewrite or delete eSIM cellular profiles. Successful exploitation lets an attacker disrupt cellular connectivity entirely or substitute their own remote eSIM profile on the device. HarborGuard is tracking the upstream advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images containing affected firmware or management layers. Any image carrying the Acer Connect M6E 5G firmware at or below the affected version is flagged automatically.
AvailableHarborGuard scores this CVE at 7.2 HIGH using the published CVSS v4.0 vector and applies each customer org's compliance policy weighting to determine urgency and routing. The finding is dispatched to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableNo fix version has been published upstream. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer publishes a remediated firmware version. Until then, customers can apply compensating controls through HarborGuard's network-policy recommendations as described below.
Pending upstreamExploit Conditions
- Network reachabilityDetail
The attacker must be on an adjacent network (LAN, WiFi, or VPN) to reach the management API; remote internet-based exploitation without adjacent access is not possible under this vector.
- AuthenticationNot required
No credentials of any kind are needed; the management API endpoints perform no caller authorization checks.
- Victim interactionNot required
The attacker can exploit this entirely on their own without any action from a user or administrator of the device.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental dependencies are required.
Blast Radius
- Attacker overwrites active eSIM remote profiles, redirecting cellular data traffic through a profile the attacker controls.
- Attacker deletes provisioned eSIM profiles, cutting off cellular connectivity for the device and any clients depending on it for internet access.
- Confidential eSIM provisioning data (carrier identifiers, profile metadata) stored in affected endpoints is readable by the attacker.
How HarborGuard Handles This
Available on HarborGuard: any image at or below firmware version M6E_AI_1.00.000019 is flagged within minutes of the CVE entering the ingest pipeline, covering both registry-hosted images and images built in customer CI pipelines. Because no upstream fix exists, auto-remediation rebuild is not yet available. Where compliance policy permits, HarborGuard can surface a network-policy isolation recommendation to restrict adjacent-network access to the management API port, limiting exposure while the vendor prepares a patch. Customers with advisory-monitoring enabled will receive an automatic notification and, where auto-remediation is configured, a rebuilt image and regression run will be triggered the moment Acer publishes a patched firmware version.
- Acer / Connect M6E 5G Portable WiFi Router≤ M6E_AI_1.00.000019
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N