How is CVE-2026-50211 exploited?

Network reachability (required): The affected diagnostic interface is exposed over the network, so an attacker must be able to reach the router's network service to exploit this vulnerability. Authentication (not-required): No credentials or account of any privilege level are needed to interact with the exposed factory diagnostic interface. Victim interaction (not-required): Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup beyond network access.

What is the impact of CVE-2026-50211?

Reads sensitive runtime data from NVRAM registers, exposing device configuration and potentially stored credentials or keys. Writes arbitrary values to internal NVRAM registers, allowing persistent modification of device behavior across reboots. Crashes the affected diagnostic service, disrupting router functionality and potentially taking the device offline for connected clients. Tampering with NVRAM contents can brick the device or introduce persistent backdoors that survive firmware restarts.

Back to search

HIGHCVE-2026-50211Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50211: Exposed Factory Testing App Boundaries

Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An exposed factory diagnostic interface in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.00.000019) leaves engineering-level testing software active in retail builds. The vulnerability is reachable over the network without any authentication, making it accessible to any device that can reach the router. Successful exploitation lets an attacker read sensitive runtime data, write to internal NVRAM registers, and crash the affected service. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built firmware-derived images. Coverage extends to any image layer that bundles the affected Acer Connect M6E firmware package.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each customer environment's configured compliance policy, surfacing it to the appropriate team inbox. Per-environment policy rules can further escalate or suppress routing based on asset classification and exposure context.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer releases a remediated firmware version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected diagnostic interface is exposed over the network, so an attacker must be able to reach the router's network service to exploit this vulnerability.
AuthenticationNot required
No credentials or account of any privilege level are needed to interact with the exposed factory diagnostic interface.
Victim interactionNot required
Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup beyond network access.

Blast Radius

Reads sensitive runtime data from NVRAM registers, exposing device configuration and potentially stored credentials or keys.
Writes arbitrary values to internal NVRAM registers, allowing persistent modification of device behavior across reboots.
Crashes the affected diagnostic service, disrupting router functionality and potentially taking the device offline for connected clients.
Tampering with NVRAM contents can brick the device or introduce persistent backdoors that survive firmware restarts.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged immediately upon ingestion for any customer image or firmware-derived artifact that includes the affected Acer Connect M6E package at or below version M6E_AI_1.00.000019. Because Acer has not yet published a fix, no patched rebuild is available at this time; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched image available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, that release will trigger a rebuild, regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict which hosts can reach the router's management interface, egress filtering to limit the diagnostic surface reachable from untrusted segments, and feature-flag or ACL gating at the network layer if the router's management firmware supports it.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified