How is CVE-2026-50225 exploited?

Network reachability (required): The vulnerable /v1/account/register endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP service remotely. Authentication (not-required): No credentials or session token are needed to send registration requests to the affected endpoint. Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator of the device. Attack complexity (info): Exploitation is reliable and condition-free - no race conditions, memory layout knowledge, or environmental prerequisites are needed to flood the registration endpoint.

What is the impact of CVE-2026-50225?

Floods the router's internal database with fabricated account records, exhausting storage or processing capacity and crashing or severely degrading the device's availability. Writes attacker-controlled data (fake account entries) into persisted database rows on the device. Reads limited data exposed incidentally through the registration response flow, such as error messages or partial account state.

Back to search

HIGHCVE-2026-50225Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50225: Account Creation Exhaustion

The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An account creation exhaustion vulnerability affects the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier). The registration endpoint /v1/account/register is reachable over the network with no authentication or bot mitigation, allowing automated scripts to flood the router's database with fake account registrations. Successful exploitation degrades availability of the device, while also producing limited access to stored and writable data. HarborGuard tracks the upstream advisory for patch availability and will make a patched-image rebuild available the moment Acer publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that incorporate the affected Acer firmware components. Any image containing the vulnerable firmware version is flagged automatically across customer registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High severity) and weighting it against each customer environment's compliance policy to reflect local risk tolerance. Triage routing delivers findings to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable /v1/account/register endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP service remotely.
AuthenticationNot required
No credentials or session token are needed to send registration requests to the affected endpoint.
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator of the device.
Attack complexityDetail
Exploitation is reliable and condition-free - no race conditions, memory layout knowledge, or environmental prerequisites are needed to flood the registration endpoint.

Blast Radius

Floods the router's internal database with fabricated account records, exhausting storage or processing capacity and crashing or severely degrading the device's availability.
Writes attacker-controlled data (fake account entries) into persisted database rows on the device.
Reads limited data exposed incidentally through the registration response flow, such as error messages or partial account state.

How HarborGuard Handles This

Available on HarborGuard: this CVE is ingested and matched against customer images as soon as it appears in upstream feeds. Because Acer has not yet published a fix for firmware M6E_AI_1.00.000019, no patched rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when Acer ships a fix version - for customers who opt into auto-remediation, that means a rebuild, regression run, and PR against affected workloads with no manual steps required. In the meantime, compensating controls worth considering include network-policy isolation to restrict access to the router's registration endpoint to trusted source addresses only, egress filtering to limit outbound registration traffic, and disabling the registration feature via device configuration or firewall rule if account self-registration is not operationally required.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified