How is CVE-2026-50207 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the device is required. Authentication (required): Any low-privilege local account or application context is sufficient to send AT commands through the Binder interface. Victim interaction (not-required): No user interaction is needed; the attacker can exercise the vulnerable Binder interface directly from a local process. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to reach the vulnerable code path.

What is the impact of CVE-2026-50207?

Reads baseband files stored on the device, potentially exposing modem configuration, credentials, or diagnostic data. Disables cellular connectivity, cutting off all mobile network access for users depending on the router. Tampers with modem state through unverified AT commands, allowing persistent reconfiguration of baseband behavior. Combines file-read and connectivity-disruption primitives to support broader lateral attacks against the device or its connected clients.

Back to search

HIGHCVE-2026-50207Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50207: Local Modem Manipulation via Binder Interfaces

The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass and improper-input-validation flaw exists in the Binder interface layer of the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). A locally-running application with low-privilege access can send unverified AT commands through the Binder boundary without any further authorization check. Successful exploitation lets an attacker read baseband files or disable cellular connectivity entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Acer publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50207 is available across every HarborGuard environment, with ingestion from upstream advisories and vendor feeds within minutes of publication and matching against images in customer registries, CI/CD pipelines, and custom-built images derived from affected firmware or software stacks.

Available

Triage

HarborGuard scores this CVE at 8.5 HIGH using the CVSS v4.0 vector and can weight that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated firmware or software release appears. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the device is required.
AuthenticationRequired
Any low-privilege local account or application context is sufficient to send AT commands through the Binder interface.
Victim interactionNot required
No user interaction is needed; the attacker can exercise the vulnerable Binder interface directly from a local process.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to reach the vulnerable code path.

Blast Radius

Reads baseband files stored on the device, potentially exposing modem configuration, credentials, or diagnostic data.
Disables cellular connectivity, cutting off all mobile network access for users depending on the router.
Tampers with modem state through unverified AT commands, allowing persistent reconfiguration of baseband behavior.
Combines file-read and connectivity-disruption primitives to support broader lateral attacks against the device or its connected clients.

How HarborGuard Handles This

Available on HarborGuard: automated advisory monitoring is active for CVE-2026-50207, and the CVE is matched against any customer image derived from affected Acer Connect M6E 5G firmware on every ingest cycle. Because Acer has not yet published a remediated firmware version, no patched rebuild is currently available. While waiting for an upstream fix, customers can apply compensating controls through HarborGuard policy: network-policy isolation can restrict which local application identities are permitted to interact with Binder interfaces, and egress filtering can limit unexpected cellular-plane traffic. For customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR opened against affected workloads will be triggered automatically the moment Acer publishes a fix and HarborGuard ingests the updated advisory.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified