How is CVE-2026-50208 exploited?

Network reachability (required): The attacker must reach the affected router's network-exposed service over the network; the vulnerability is remotely exploitable with no physical access required. Authentication (not-required): No credentials or account of any kind are required to exploit this vulnerability. Victim interaction (not-required): No action from a user or administrator on the target device is needed for exploitation to succeed. Attack complexity (info): Exploitation requires the attacker to be in a position to intercept traffic (a man-in-the-middle position), introducing a positioning requirement, though no race conditions or memory-layout dependencies are involved.

What is the impact of CVE-2026-50208?

Reads decrypted network traffic flowing between the router and backend services, exposing credentials, session tokens, and any plaintext data in transit. Injects or modifies data in transit between the router and its backend, tampering with configuration commands or firmware update payloads. Disrupts availability of the router's network services to a limited degree (CVSS VA:L), consistent with minor service degradation rather than a full crash.

Back to search

CRITICALCVE-2026-50208Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50208: Permissive TrustAllCerts TLS Verification

High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication-bypass and cryptographic-weakness vulnerability in the Acer Connect M6E 5G Portable WiFi Router. The device's firmware contains TrustAllCerts routines that disable TLS certificate validation entirely, and pairs that weakness with hard-coded DES symmetric encryption keys reachable over the network without any authentication. A network-positioned attacker who can intercept traffic between the router and a backend service can decrypt and read that traffic in full, and can inject or tamper with data in transit. No patched firmware version has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-50208 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images derived from affected Acer firmware base layers.

Available

Triage

Triage is available using the CVSS v4.0 score of 9.2 (Critical), weighted against each environment's compliance policy to determine urgency and blast-radius context. Routing to the appropriate team inbox within each customer org is handled automatically based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream firmware is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected router's network-exposed service over the network; the vulnerability is remotely exploitable with no physical access required.
AuthenticationNot required
No credentials or account of any kind are required to exploit this vulnerability.
Victim interactionNot required
No action from a user or administrator on the target device is needed for exploitation to succeed.
Attack complexityDetail
Exploitation requires the attacker to be in a position to intercept traffic (a man-in-the-middle position), introducing a positioning requirement, though no race conditions or memory-layout dependencies are involved.

Blast Radius

Reads decrypted network traffic flowing between the router and backend services, exposing credentials, session tokens, and any plaintext data in transit.
Injects or modifies data in transit between the router and its backend, tampering with configuration commands or firmware update payloads.
Disrupts availability of the router's network services to a limited degree (CVSS VA:L), consistent with minor service degradation rather than a full crash.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50208, HarborGuard continuously monitors the Acer advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. In the interim, compensating controls are worth considering: network-policy isolation to restrict which hosts can communicate with the affected device, egress filtering to limit the router's outbound reach to known-good endpoints, and where feasible, routing sensitive traffic through a separately validated TLS termination proxy that enforces certificate pinning independent of the device firmware. For customers who opt into auto-remediation, the full rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as upstream ships the patched firmware.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified