CVE-2026-49195: Unauthenticated Debug Service on Acer Predator Connect W6X (CVSS 8.8)
A debug service running on Acer Predator Connect W6X devices exposes a command interface on port 9000 without requiring any authentication. Any device with network access to an affected device can send arbitrary commands to this service, potentially taking complete control of the device. This is a local network vulnerability, meaning the attacker must be on the same network segment as the target.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-306
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49195 is a missing authentication vulnerability in the /sbin/mtk_dut binary on Acer Predator Connect W6X devices. The service listens on TCP port 9000 and accepts UCC (Unified Command Control) commands without validating client credentials or authorization. The vulnerability maps to CWE-306 (Missing Authentication for Critical Function), reflecting the absence of access controls on a privileged interface. With a CVSS v3.1 score of 8.8 (HIGH severity), the vulnerability carries a vector of AV:A (adjacent network), AC:L (low complexity), PR:N (no privileges required), UI:N (no user interaction), and impacts confidentiality, integrity, and availability.
Business impact
Compromise of a Predator Connect W6X device could expose sensitive data stored on the device, corrupt configurations, or render it unavailable. In a business context, this device may be used for gaming peripherals, streaming, or connectivity management; unauthorized access could disrupt operations, lead to data exfiltration, or serve as a pivot point for lateral movement within the network. The risk is amplified if the device resides in a shared or guest network where multiple users have access.
Affected systems
The vulnerability affects Acer Predator Connect W6X devices (both the hardware and associated firmware). Acer has identified this product line as vulnerable. Check device firmware version against Acer's security advisories to determine if your specific installation is affected; consult vendor patch guidance for exact vulnerable firmware versions.
Exploitability
Exploitation requires network adjacency—the attacker must be on the same LAN segment as the target device. No authentication credentials are needed, and no user interaction is required. An attacker can craft UCC commands and send them directly to port 9000 to execute arbitrary operations. The low complexity and lack of prerequisites make this straightforward to exploit once network access is achieved. The vulnerability is not known to be exploited in the wild (KEV status: not listed), but the simplicity of attack means responsible defenders should assume hostile actors can and will attempt exploitation if devices remain unpatched.
Remediation
Acer is expected to release firmware updates that introduce authentication and access controls to the /sbin/mtk_dut service. Affected users should check Acer's official security advisory and update to the latest recommended firmware version. In the interim, network segmentation (isolating the device to a trusted network segment) and firewall rules blocking inbound connections to port 9000 from untrusted hosts provide temporary mitigation. Disable the debug service if it is not required for normal operation.
Patch guidance
Monitor Acer's security advisories for official firmware patches addressing this vulnerability. Download patches only from Acer's official website or trusted channels. Test patches in a non-production environment first to ensure compatibility and functionality. Once available, prioritize deployment of patched firmware to all affected Predator Connect W6X devices. Verify post-patch that the device functions correctly and that port 9000 is either no longer exposed or properly requires authentication.
Detection guidance
Look for network traffic to TCP port 9000 on Predator Connect W6X devices, particularly from unexpected or external sources. Monitor for UCC command patterns sent to that port. If you have network visibility, scan for devices listening on port 9000 and attempt a benign connection probe to identify vulnerable instances. Check device logs and firmware versions to establish inventory of affected assets. Intrusion detection rules should flag unauthorized access attempts to port 9000 on these devices.
Why prioritize this
Although not yet listed on the CISA Known Exploited Vulnerabilities catalog, this vulnerability merits high prioritization because of the combination of unauthenticated access, high CVSS score (8.8), and the trivial attack surface. Any device accessible on a corporate or home network is at risk without authentication controls. Organizations with Predator Connect W6X devices should treat patching as moderately urgent, especially if devices sit on shared or guest networks.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the severity of the risk: an unauthenticated, adjacent-network attacker can achieve confidentiality, integrity, and availability impact with no complexity. The only mitigation against a wide attack surface is the requirement for network adjacency (AV:A). This score is appropriate for a missing authentication vulnerability on a privileged interface.
Frequently asked questions
Do I need to be on the same physical network as the device to exploit this?
Yes. The vulnerability requires adjacent network access (AV:A), meaning the attacker must be on the same LAN segment. An internet-based attacker cannot directly exploit this vulnerability unless they have already compromised the internal network or the device is exposed via port forwarding (which would be a separate configuration error).
What happens if my device is patched but I can't update immediately?
Implement network segmentation to isolate the device to a trusted network where only authorized users have access. Configure firewall rules to block inbound connections to TCP port 9000 from untrusted sources. If the debug service is not required for normal operation, investigate whether it can be disabled or the device can be taken offline temporarily.
How can I tell if my Predator Connect W6X is affected?
Check your device firmware version against Acer's official security advisory. You can also attempt to connect to TCP port 9000 on the device (e.g., via telnet or nc) to verify if the service is exposed. If the connection succeeds without prompting for credentials, the device is likely vulnerable.
Is this vulnerability exploited in the wild?
As of the current KEV status, this vulnerability is not listed as being actively exploited. However, the simplicity of exploitation and the absence of a workaround other than patching mean organizations should not rely on obscurity. Assume threat actors have become aware of this vulnerability and will probe for vulnerable instances.
This analysis is based on publicly available vulnerability data current as of the publication date. Patch availability, vendor advisories, and KEV status may change; verify directly with Acer for the latest firmware versions and official guidance. SEC.co provides this information for awareness and defensive planning purposes. No exploit code, proof-of-concept, or weaponized attack details are included. Organizations should conduct their own risk assessments and testing in controlled environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-24088HIGHQualcomm Bootloader Cryptographic Verification Flaw (CVSS 8.2)
- CVE-2026-24090HIGHQualcomm Partition Table Cryptographic Flaw Enables Boot Modification
- CVE-2026-36603HIGHMercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability
- CVE-2026-45332HIGHAutomad Unauthenticated Administrator Credential Exposure
- CVE-2026-46826HIGHOracle Payroll Authorization Flaw Enables Complete System Takeover