How is CVE-2026-50206 exploited?

Network reachability (info): The attacker must be on the same adjacent network, such as a local LAN or VPN segment; remote over-the-internet exploitation is not possible with this vector. Authentication (required): An admin or privileged account is required to submit VPN profile config files, so the attacker must have already obtained high-privilege credentials. Victim interaction (not-required): No user action or social engineering is needed; the attacker delivers the malicious config directly without any victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-50206?

The attacker executes arbitrary operating system commands on the router with the privileges of the VPN profile processing component. All data transiting the device is accessible, including unencrypted LAN traffic and any credentials passed through the router. The attacker can modify persistent device configuration, including firewall rules, routing tables, and VPN credentials stored on the device. The router process can be crashed or rendered unresponsive, cutting off network connectivity for all clients dependent on the device.

Back to search

HIGHCVE-2026-50206Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50206: VPN Command Injection Vulnerability

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A command injection vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). The flaw is reachable from an adjacent network and requires an admin-level account; it is triggered by sending a malicious VPN network profile config file containing special characters that the router fails to sanitize before passing to a system shell. Successful exploitation gives the attacker arbitrary command execution on the device with the privileges of the VPN profile handler. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Acer publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-50206 is available across all HarborGuard environments: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in connected registries and CI/CD pipelines, including custom-built images that bundle affected Acer firmware or related components.

Available

Triage

Triage is available with a CVSS v4.0 base score of 8.5 (HIGH), weighted against each customer organization's own compliance policy to determine urgency and routed to the appropriate team inbox within that environment.

Available

Patch

No upstream fix version has been published by Acer for this vulnerability; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once an upstream patch exists.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network, such as a local LAN or VPN segment; remote over-the-internet exploitation is not possible with this vector.
AuthenticationRequired
An admin or privileged account is required to submit VPN profile config files, so the attacker must have already obtained high-privilege credentials.
Victim interactionNot required
No user action or social engineering is needed; the attacker delivers the malicious config directly without any victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

The attacker executes arbitrary operating system commands on the router with the privileges of the VPN profile processing component.
All data transiting the device is accessible, including unencrypted LAN traffic and any credentials passed through the router.
The attacker can modify persistent device configuration, including firewall rules, routing tables, and VPN credentials stored on the device.
The router process can be crashed or rendered unresponsive, cutting off network connectivity for all clients dependent on the device.

How HarborGuard Handles This

Available on HarborGuard: because Acer has not yet published a fix for this vulnerability, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild the moment an upstream fix version is released. In the interim, customers can apply compensating controls through HarborGuard policy enforcement: network-policy isolation rules can be used to restrict adjacency to the device management interface, and egress filtering can limit lateral movement in the event of compromise. For customers with auto-remediation enabled, the full rebuild-and-PR flow will trigger automatically once a fix is available, with no manual steps required. Teams managing images that incorporate affected Acer firmware components should flag those images for expedited review in the HarborGuard dashboard under the HIGH-severity queue.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified