CVE-2026-49192: Acer Connect M6E 5G IDOR Vulnerability – Authorization Bypass & Data Exposure
A flaw in the Acer Connect M6E 5G device's summary service endpoint allows authenticated users to bypass ownership checks and access device data they don't own. An attacker with valid credentials can enumerate and scrape hardware information by manipulating device serial numbers in API requests, leading to unauthorized disclosure of device details across the user base.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49192 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the summary service endpoint in Acer Connect M6E 5G firmware. The endpoint fails to validate that the requesting user owns the hardware serial number being queried. This authorization bypass allows any authenticated attacker to retrieve device data associated with arbitrary serial numbers. The vulnerability is triggered through standard API calls without requiring elevated privileges or user interaction, making it readily exploitable by any account holder.
Business impact
Device owners face privacy erosion as attackers can harvest IoT device data at scale, potentially mapping network deployments, identifying specific hardware configurations, or correlating device details with other reconnaissance data. For organizations managing fleets of M6E 5G devices, this exposure could enable targeting of specific infrastructure or reveal device inventory across customer bases. While not enabling remote code execution, the data exposure supports reconnaissance-driven attacks and violates user privacy expectations.
Affected systems
Acer Connect M6E 5G and its associated firmware are affected. Both the hardware device and its firmware release require attention. Verify exact firmware versions against Acer's security advisory to determine patch eligibility.
Exploitability
Exploitability is straightforward. The vulnerability requires network access and valid authentication credentials, but no special privileges or user interaction. An attacker with any legitimate account can immediately begin harvesting device data by iterating through serial numbers. The low barrier to exploitation and ease of automating requests for mass data collection elevates practical risk.
Remediation
Acer has released patched firmware versions addressing the authorization check in the summary service endpoint. Users should apply the latest available firmware update to their Connect M6E 5G devices. Verify the patch version in Acer's security advisory to confirm you have the corrected build. In parallel, monitor API logs for suspicious patterns of repeated summary endpoint queries with varying serial number parameters as a sign of active exploitation.
Patch guidance
Contact Acer or visit their support portal to download the latest firmware release for the Connect M6E 5G. Apply the update according to Acer's documented procedures. Before and after patching, document your device serial numbers and baseline access patterns to detect any compromise indicators. If your organization uses automated device management, verify firmware deployment mechanisms support the patched version.
Detection guidance
Hunt for anomalous API access to the summary service endpoint by monitoring request patterns: look for single accounts making repeated calls with different device serial numbers, requests originating from unexpected network segments, or sudden spikes in summary endpoint traffic. Log and alert on failed ownership validation attempts if Acer's logging includes such indicators. Network-based detection should flag clients querying the endpoint with serial number variations outside normal device refresh patterns.
Why prioritize this
Although rated MEDIUM severity with a CVSS score of 5.4, this vulnerability merits timely remediation because it enables systematic data harvesting of connected device information. Organizations managing multiple M6E 5G deployments should treat this as a privacy-tier risk requiring accelerated patching. The ease of exploitation and lack of complex attack prerequisites mean threat actors can quickly operationalize it against exposed user bases.
Risk score, explained
The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N score of 5.4 reflects network-accessible exploitation requiring valid credentials (low attack complexity, but authentication required), with limited confidentiality and integrity impact and no availability impact. The score appropriately captures the authorization flaw's severity while acknowledging that data exposure is scoped to individual records rather than system-wide compromise or service disruption.
Frequently asked questions
Can this vulnerability be exploited without authentication?
No. CVE-2026-49192 requires valid login credentials to access the summary service endpoint. An attacker must first obtain or create an account, but once authenticated, no further barriers prevent querying arbitrary device serial numbers.
What data is exposed if my M6E 5G device is accessed via this vulnerability?
The summary service endpoint typically exposes device configuration details, status information, and identifiers. Attackers can harvest this hardware metadata to map device deployments, but the vulnerability does not grant access to user credentials, network traffic payloads, or backend systems.
How do I know if my device has been exploited?
Review API access logs for your device if available through Acer's management portal. Look for summary endpoint requests originating from unfamiliar source IPs or accounts, or unusual patterns of serial number queries. Acer may also provide breach notifications if active exploitation is detected.
Should I temporarily disable the device while waiting for a patch?
Disabling is not necessary if your device is behind a firewall or restricted to trusted networks. Instead, prioritize applying the patch when available, monitor access logs, and restrict API endpoint access to known good sources if your deployment supports network-level controls.
This analysis is based on publicly available information as of the vulnerability publication date. Patch availability, affected firmware versions, and timeline details should be verified directly against Acer's official security advisory. SEC.co does not provide exploit code or weaponized proof-of-concepts. Organizations should conduct internal testing in isolated environments before deploying patches to production. This explainer does not constitute legal or compliance advice; consult your security and legal teams for incident response and regulatory requirements specific to your industry. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability