How is CVE-2026-50209 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required to trigger the broadcast event. Authentication (required): A low-privilege local account is sufficient; no administrative credentials are needed to issue the malicious broadcast. Victim interaction (not-required): The attack executes without any action from another user or administrator on the device. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors are required.

What is the impact of CVE-2026-50209?

The attacker redirects the MDM enrollment endpoint, transferring administrative ownership of the device to an external server they control. Full read access to device configuration, stored credentials, and session state is granted to the attacker-controlled MDM server. The attacker can modify persisted device settings, push arbitrary configuration profiles, and alter routing behavior on the portable WiFi router. The attacker can render the device unmanageable by its legitimate owner or crash management services entirely, disrupting connectivity for all users on the router.

Back to search

CRITICALCVE-2026-50209Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50209: MDM Server Registration Overriding

Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass-style privilege escalation vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). A local, low-privileged attacker can send broadcast events to overwrite the device's Mobile Device Management (MDM) endpoint address, transferring administrative ownership to an external party. Successful exploitation gives the attacker full administrative control over device configuration, data, and availability. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built firmware-derived images that package affected Acer Connect M6E components. Any image layer carrying the affected firmware version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 9.3 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer releases a remediated firmware version. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required to trigger the broadcast event.
AuthenticationRequired
A low-privilege local account is sufficient; no administrative credentials are needed to issue the malicious broadcast.
Victim interactionNot required
The attack executes without any action from another user or administrator on the device.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors are required.

Blast Radius

The attacker redirects the MDM enrollment endpoint, transferring administrative ownership of the device to an external server they control.
Full read access to device configuration, stored credentials, and session state is granted to the attacker-controlled MDM server.
The attacker can modify persisted device settings, push arbitrary configuration profiles, and alter routing behavior on the portable WiFi router.
The attacker can render the device unmanageable by its legitimate owner or crash management services entirely, disrupting connectivity for all users on the router.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this Critical-severity vulnerability, HarborGuard continuously monitors the Acer advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware version is released. For customers who opt into auto-remediation, the patched rebuild, regression test run, and a PR opened against affected workloads will trigger automatically with no manual intervention. In the interim, compensating controls are worth considering: network-policy isolation to restrict local shell access to the device, egress filtering to block unauthorized outbound MDM registration traffic, and feature-flag or firewall gating on broadcast-capable interfaces where the router management firmware supports it. Customers whose compliance policies flag unpatched Critical CVEs for immediate escalation will see this CVE routed to their designated security inbox automatically.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com

Metrics

Get notified