CVE-2026-49194: Acer Connect M6E 5G Authentication Bypass via SCREEN_CLICK Debugging Function
A debugging function called SCREEN_CLICK(5053) in certain Acer Connect M6E 5G devices allows an authenticated user to bypass the normal login process and gain direct access to an interactive shell. This circumvents device security controls and could enable an attacker with valid credentials to take full control of the device without standard authentication checks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-287
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49194 exists in the Acer Connect M6E 5G device firmware due to improper authentication enforcement in a debugging routine (SCREEN_CLICK function with parameter 5053). The vulnerability allows an authenticated but unprivileged user to skip the standard device login prompt and directly instantiate an interactive shell session. The issue is classified under CWE-287 (Improper Authentication) and achieves a CVSS 3.1 score of 8.8 (HIGH), with a network-accessible vector, low attack complexity, and requiring only low privilege (authenticated user) to trigger. The attack results in complete confidentiality, integrity, and availability compromise.
Business impact
An attacker who obtains valid credentials to an Acer Connect M6E 5G device can fully compromise the device and any data or services it controls, without triggering standard authentication logs or alerts. This is particularly dangerous in enterprise or SOHO deployments where the device acts as a gateway or network hub. The ability to bypass login controls increases the window for lateral movement, data exfiltration, or malware deployment before detection.
Affected systems
The vulnerability affects Acer Connect M6E 5G devices and their firmware. Both the hardware model (acer connect_m6e_5g) and the associated firmware component (acer connect_m6e_5g_firmware) are in scope. Organizations deploying these devices in any environment should inventory and prioritize assessment and patching.
Exploitability
Exploitation requires an attacker to first obtain valid authentication credentials for the target device—a realistic scenario in environments with weak password policies, credential reuse, or insider threats. Once authenticated, the attack is trivial: invoking the SCREEN_CLICK(5053) function requires only network access and does not depend on user interaction or specific timing. The low barrier to exploitation post-authentication, combined with the high severity of the resulting compromise, makes this a critical issue for any organization using these devices.
Remediation
Acer should release a patched firmware version that either removes the SCREEN_CLICK(5053) debugging routine entirely or enforces proper authentication checks within it. Organizations should apply any vendor-issued security updates immediately upon release. Until patches are available, mitigations may include network segmentation to restrict access to affected devices, implementation of strong authentication policies, and monitoring for unusual shell access patterns on these devices.
Patch guidance
Consult the Acer security advisory for the Connect M6E 5G to identify and deploy the patched firmware version. Verify the patch is available through Acer's official support channels before deployment. Apply the update during a maintenance window and confirm successful installation by verifying the firmware version post-update. If no patch has been released, contact Acer support to obtain an estimated timeline and interim mitigation guidance.
Detection guidance
Monitor network traffic for unexpected shell sessions or command execution originating from Acer Connect M6E 5G devices. Log all authentication attempts and track any successful logins followed immediately by shell access without the standard login prompt. Implement intrusion detection rules that flag calls to SCREEN_CLICK or similar debugging functions. Baseline normal device communication and alert on deviations. Device logs (if accessible) should be reviewed for evidence of direct shell instantiation.
Why prioritize this
This vulnerability scores HIGH (8.8) due to its network-accessible attack surface, ease of exploitation by an authenticated user, and complete compromise potential. While it requires prior credential possession, the prevalence of weak credential hygiene and the severity of the resulting system compromise make it a priority 1 candidate for patching in any organization using these devices. The absence of a KEV entry does not diminish its risk.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the combination of network availability (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and complete impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of an authentication bypass leading to full device control, though the requirement for valid credentials prevents a critical (9.0+) rating.
Frequently asked questions
Does this vulnerability allow unauthenticated access?
No. An attacker must possess valid authentication credentials to the device before exploiting SCREEN_CLICK(5053). The vulnerability bypasses the login prompt for authenticated users, not the authentication system itself.
Is this vulnerability actively exploited in the wild?
This vulnerability is not currently listed in the National Vulnerability Database's Known Exploited Vulnerabilities (KEV) catalog, which suggests no confirmed active exploitation as of the publication date. However, the ease of exploitation post-authentication means organizations should not delay patching.
What should organizations do if they cannot immediately patch their devices?
Segment affected devices on the network to limit lateral movement, enforce strong authentication policies, monitor for suspicious shell access, and maintain logs of all access attempts. Consider disabling remote management capabilities if possible until patches are available.
Are all Acer Connect M6E 5G devices affected, or only certain firmware versions?
The vulnerability affects the product line specified in the advisory. Check the vendor advisory for specific affected firmware versions. Only devices running vulnerable versions require immediate action; if your device has already been patched by Acer, the risk is mitigated.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Organizations must verify patch availability and applicability to their specific device models and firmware versions through Acer's official security advisories and support channels. SEC.co does not provide specific patch version numbers or deployment instructions; consult vendor documentation for authoritative guidance. This information does not constitute legal, compliance, or procurement advice. Readers are responsible for assessing risk in their own environments and implementing appropriate controls. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend