By vendor

Acer vulnerabilities

Known CVEs affecting Acer products, prioritized by severity, with SEC.co remediation and detection guidance.

8 published vulnerabilities

  • CVE-2026-49190HIGH 8.8

    A flaw in Acer Connect M6E 5G firmware fails to properly enforce access controls when processing internal system instructions, allowing authenticated users to install unauthorized applications or execute arbitrary commands on the device. The vulnerability requires valid login credentials but provides no other barriers once an attacker gains initial access.

  • CVE-2026-49194HIGH 8.8

    A debugging function called SCREEN_CLICK(5053) in certain Acer Connect M6E 5G devices allows an authenticated user to bypass the normal login process and gain direct access to an interactive shell. This circumvents device security controls and could enable an attacker with valid credentials to take full control of the device without standard authentication checks.

  • CVE-2026-49195HIGH 8.8

    A debug service running on Acer Predator Connect W6X devices exposes a command interface on port 9000 without requiring any authentication. Any device with network access to an affected device can send arbitrary commands to this service, potentially taking complete control of the device. This is a local network vulnerability, meaning the attacker must be on the same network segment as the target.

  • CVE-2026-49189HIGH 7.8

    CVE-2026-49189 is a privilege escalation vulnerability in Acer Connect M6E 5G devices where a core system component (Broadcast Receiver) fails to enforce access controls. Any application installed on the device—even one with minimal permissions—can trigger administrative operations that should be restricted. This bridges the gap between a low-privilege app and high-impact actions, allowing local attackers to escalate their capabilities without user interaction.

  • CVE-2026-49187HIGH 7.5

    CVE-2026-49187 is a confidentiality vulnerability in Acer Connect M6E 5G devices where hard-coded resource files embedded in the APK firmware do not expire and can be accessed via a shared mechanism. This allows an attacker to retrieve sensitive information from the device without authentication. The vulnerability does not permit data modification or service disruption, but the information exposure risk is significant enough to warrant prompt remediation.

  • CVE-2026-49193HIGH 7.5

    CVE-2026-49193 is a high-severity vulnerability affecting Acer Connect M6E 5G devices where overly permissive cloud storage container settings allow telemetry data to be exposed publicly on the internet. An attacker does not need authentication or special access to view sensitive telemetry information—it is simply accessible to anyone who knows where to look. This is a data exposure risk that could reveal operational and usage patterns of affected devices and their networks.

  • CVE-2026-49196HIGH 7.2

    CVE-2026-49196 is a command injection vulnerability in Acer Predator Connect W6X Wi-Fi devices. The device's built-in feature for blocking Wi-Fi connections fails to properly validate MAC addresses before processing them, creating an opening for attackers to inject and execute arbitrary shell commands. An attacker with administrative access could leverage this to compromise the device and potentially the network it protects.

  • CVE-2026-49192MEDIUM 5.4

    A flaw in the Acer Connect M6E 5G device's summary service endpoint allows authenticated users to bypass ownership checks and access device data they don't own. An attacker with valid credentials can enumerate and scrape hardware information by manipulating device serial numbers in API requests, leading to unauthorized disclosure of device details across the user base.