HIGH 8.8

CVE-2026-49194: Acer Connect M6E 5G Authentication Bypass via SCREEN_CLICK Debugging Function

A debugging function called SCREEN_CLICK(5053) in certain Acer Connect M6E 5G devices allows an authenticated user to bypass the normal login process and gain direct access to an interactive shell. This circumvents device security controls and could enable an attacker with valid credentials to take full control of the device without standard authentication checks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-287
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49194 exists in the Acer Connect M6E 5G device firmware due to improper authentication enforcement in a debugging routine (SCREEN_CLICK function with parameter 5053). The vulnerability allows an authenticated but unprivileged user to skip the standard device login prompt and directly instantiate an interactive shell session. The issue is classified under CWE-287 (Improper Authentication) and achieves a CVSS 3.1 score of 8.8 (HIGH), with a network-accessible vector, low attack complexity, and requiring only low privilege (authenticated user) to trigger. The attack results in complete confidentiality, integrity, and availability compromise.

Business impact

An attacker who obtains valid credentials to an Acer Connect M6E 5G device can fully compromise the device and any data or services it controls, without triggering standard authentication logs or alerts. This is particularly dangerous in enterprise or SOHO deployments where the device acts as a gateway or network hub. The ability to bypass login controls increases the window for lateral movement, data exfiltration, or malware deployment before detection.

Affected systems

The vulnerability affects Acer Connect M6E 5G devices and their firmware. Both the hardware model (acer connect_m6e_5g) and the associated firmware component (acer connect_m6e_5g_firmware) are in scope. Organizations deploying these devices in any environment should inventory and prioritize assessment and patching.

Exploitability

Exploitation requires an attacker to first obtain valid authentication credentials for the target device—a realistic scenario in environments with weak password policies, credential reuse, or insider threats. Once authenticated, the attack is trivial: invoking the SCREEN_CLICK(5053) function requires only network access and does not depend on user interaction or specific timing. The low barrier to exploitation post-authentication, combined with the high severity of the resulting compromise, makes this a critical issue for any organization using these devices.

Remediation

Acer should release a patched firmware version that either removes the SCREEN_CLICK(5053) debugging routine entirely or enforces proper authentication checks within it. Organizations should apply any vendor-issued security updates immediately upon release. Until patches are available, mitigations may include network segmentation to restrict access to affected devices, implementation of strong authentication policies, and monitoring for unusual shell access patterns on these devices.

Patch guidance

Consult the Acer security advisory for the Connect M6E 5G to identify and deploy the patched firmware version. Verify the patch is available through Acer's official support channels before deployment. Apply the update during a maintenance window and confirm successful installation by verifying the firmware version post-update. If no patch has been released, contact Acer support to obtain an estimated timeline and interim mitigation guidance.

Detection guidance

Monitor network traffic for unexpected shell sessions or command execution originating from Acer Connect M6E 5G devices. Log all authentication attempts and track any successful logins followed immediately by shell access without the standard login prompt. Implement intrusion detection rules that flag calls to SCREEN_CLICK or similar debugging functions. Baseline normal device communication and alert on deviations. Device logs (if accessible) should be reviewed for evidence of direct shell instantiation.

Why prioritize this

This vulnerability scores HIGH (8.8) due to its network-accessible attack surface, ease of exploitation by an authenticated user, and complete compromise potential. While it requires prior credential possession, the prevalence of weak credential hygiene and the severity of the resulting system compromise make it a priority 1 candidate for patching in any organization using these devices. The absence of a KEV entry does not diminish its risk.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects the combination of network availability (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and complete impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of an authentication bypass leading to full device control, though the requirement for valid credentials prevents a critical (9.0+) rating.

Frequently asked questions

Does this vulnerability allow unauthenticated access?

No. An attacker must possess valid authentication credentials to the device before exploiting SCREEN_CLICK(5053). The vulnerability bypasses the login prompt for authenticated users, not the authentication system itself.

Is this vulnerability actively exploited in the wild?

This vulnerability is not currently listed in the National Vulnerability Database's Known Exploited Vulnerabilities (KEV) catalog, which suggests no confirmed active exploitation as of the publication date. However, the ease of exploitation post-authentication means organizations should not delay patching.

What should organizations do if they cannot immediately patch their devices?

Segment affected devices on the network to limit lateral movement, enforce strong authentication policies, monitor for suspicious shell access, and maintain logs of all access attempts. Consider disabling remote management capabilities if possible until patches are available.

Are all Acer Connect M6E 5G devices affected, or only certain firmware versions?

The vulnerability affects the product line specified in the advisory. Check the vendor advisory for specific affected firmware versions. Only devices running vulnerable versions require immediate action; if your device has already been patched by Acer, the risk is mitigated.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Organizations must verify patch availability and applicability to their specific device models and firmware versions through Acer's official security advisories and support channels. SEC.co does not provide specific patch version numbers or deployment instructions; consult vendor documentation for authoritative guidance. This information does not constitute legal, compliance, or procurement advice. Readers are responsible for assessing risk in their own environments and implementing appropriate controls. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).