CVE-2026-49189: Acer Connect M6E 5G Broadcast Receiver Permission Bypass (CVSS 7.8)
CVE-2026-49189 is a privilege escalation vulnerability in Acer Connect M6E 5G devices where a core system component (Broadcast Receiver) fails to enforce access controls. Any application installed on the device—even one with minimal permissions—can trigger administrative operations that should be restricted. This bridges the gap between a low-privilege app and high-impact actions, allowing local attackers to escalate their capabilities without user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-269
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper permission validation on an exported Broadcast Receiver in Acer Connect M6E 5G firmware. Broadcast Receivers are Android components that listen for system-wide or application-specific events; when exported without proper permission guards, they become callable by any installed application. CVE-2026-49189 allows an unprivileged process to invoke protected administrative functions through this unguarded receiver, resulting in capability escalation. The CVSS 3.1 score of 7.8 reflects high impact across confidentiality, integrity, and availability, with local attack vector and low attack complexity.
Business impact
Organizations deploying Acer Connect M6E 5G devices in managed environments face significant risk. An attacker who achieves initial installation of a seemingly innocuous app gains a pathway to administrative control—enabling data exfiltration, device misconfiguration, service disruption, or lateral movement in corporate networks. In enterprise wireless/connectivity scenarios, this could compromise both the device itself and connected infrastructure. The lack of exploitation barriers (no special conditions required) increases the realistic threat surface.
Affected systems
This vulnerability affects Acer Connect M6E 5G firmware versions. The vulnerability is specific to the Acer Connect M6E 5G product line; verify the exact firmware versions in scope by consulting Acer's security advisory, as version-specific patch guidance has not been published in this data.
Exploitability
Exploitation requires local presence (an attacker must install an app on the target device) but no user interaction or special conditions beyond that. Attack complexity is low; any developer can craft an app that calls the vulnerable Broadcast Receiver. The barrier to exploitation is primarily distribution—getting the malicious app onto a target device—rather than technical difficulty. This is a practical risk in bring-your-own-device scenarios or supply-chain distribution contexts.
Remediation
Acer must issue a firmware update that either removes the public export flag from the vulnerable Broadcast Receiver or adds explicit permission checks to validate caller identity before processing administrative commands. End users should apply vendor patches immediately upon availability. Until patched, restrict untrusted app installation on Acer Connect M6E 5G devices and consider network-level controls to limit exposure.
Patch guidance
Monitor Acer's security advisories for firmware updates addressing CVE-2026-49189. When available, apply the patched firmware to all Acer Connect M6E 5G devices in your environment. Verify compatibility and test in a non-production environment before broad deployment. Acer's official advisory will specify exact firmware versions and download locations; do not rely on third-party sources for firmware distribution.
Detection guidance
Monitor for unexpected IPC (inter-process communication) calls to the vulnerable Broadcast Receiver from low-privilege applications. On managed devices, audit app installation logs and flag any apps with suspicious permissions requested post-installation. Network detection may observe unusual configuration changes or data flows originating from the device following exploitation. Endpoint detection and response (EDR) tools should flag process spawning from untrusted apps on these devices.
Why prioritize this
This is a HIGH-severity flaw affecting a connectivity appliance in an enterprise product line. The combination of high CVSS (7.8), ease of local exploitation, and the device's role in network infrastructure justifies rapid prioritization. Organizations using these devices in production environments should prioritize vulnerability and patch assessment within their quarterly risk cycles.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: Local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This scoring appropriately captures the practical risk of an installed app gaining administrative capabilities. The severity is not critical (would require remote vector or broader impact) but definitely HIGH.
Frequently asked questions
Does this affect my Acer Connect M6E 5G if I don't install untrusted apps?
The vulnerability still poses risk in supply-chain or bundled-software scenarios where an apparently legitimate app may contain malicious code. Additionally, if your device receives updates or pre-installed software from a third party, those could contain the exploit. Best practice is to patch regardless of app installation practices.
Is there a public exploit for CVE-2026-49189?
As of the current data, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed active exploitation in the wild. However, the low exploitation barrier means weaponized code could emerge; treat this as a forward-looking risk even if current attack activity is limited.
What should I do if I can't patch immediately?
Implement network segmentation to limit what the device can communicate with, restrict app installation through mobile device management (MDM) policies if these devices support it, and monitor for suspicious activity. Escalate your patch timeline as soon as firmware becomes available.
Why does this require local presence if it's so severe?
The CVSS score reflects the actual threat model: an attacker needs to deliver code to the device first. However, 'local' includes any app store, email attachment, or compromise of a legitimate app—realistic attack vectors in enterprise environments.
This analysis is based on publicly available information as of 2026-06-17. Specific patch availability, version numbers, and remediation timelines should be verified against Acer's official security advisory. Organizations should conduct their own risk assessment based on device deployment, network context, and threat model. This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog; status may change. SEC.co provides this intelligence for informational purposes and does not guarantee completeness or real-time accuracy of vendor responses. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation
- CVE-2026-0091HIGHAndroid Launcher Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2026-44543HIGHLocal Path Provisioner Configuration Injection Leading to Node Compromise
- CVE-2026-46827HIGHOracle E-Business Suite Payroll Remote Compromise – 8.8 CVSS
- CVE-2026-46837HIGHOracle Flow Manufacturing SQL Injection & Privilege Escalation
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability