HIGH 8.3

CVE-2026-49203: Acer Connect M6E 5G eSIM Authorization Bypass (CVSS 8.3)

CVE-2026-49203 is a critical authorization flaw in Acer Connect M6E 5G cellular management APIs. The vulnerability allows an attacker with network access to remotely rewrite or delete eSIM profiles without authentication. Because the affected endpoints lack proper caller verification, an unauthenticated adversary on the same network can manipulate cellular configurations, potentially disconnecting devices or provisioning unauthorized SIM profiles. The flaw exposes organizations relying on these devices for cellular connectivity to profile tampering and service disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Weaknesses (CWE)
CWE-287
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from missing authorization validation (CWE-287) in management API endpoints responsible for eSIM profile lifecycle operations. These endpoints—designed to allocate, modify, and remove cellular profiles on the Acer Connect M6E 5G—do not verify the identity or permissions of API callers. An attacker positioned on the same network segment can send crafted API requests to modify or delete existing eSIM profiles without presenting credentials or tokens. The attack surface is local network-scoped (CVSS AV:A) but does not require user interaction or special access permissions to execute.

Business impact

Organizations using Acer Connect M6E 5G units for business cellular connectivity face disruption risk. An attacker could delete critical eSIM profiles, rendering devices unable to connect to cellular networks and interrupting services dependent on mobile connectivity. Additionally, attackers could inject fraudulent profiles, potentially redirecting traffic through compromised carriers or performing man-in-the-middle attacks. For enterprises managing fleets of cellular devices (IoT, mobile gateways, remote sites), this vulnerability creates an operational and confidentiality risk without requiring device compromise.

Affected systems

The vulnerability is specific to Acer Connect M6E 5G devices and their associated firmware. Both the hardware platform and its firmware component are affected. Any organization deploying these devices in network environments where untrusted or semi-trusted actors may reside—such as shared office networks, co-located facilities, or venues with guest connectivity—is exposed. Firmware versions prior to the vendor's patch release should be considered vulnerable; confirm exact patch boundaries via Acer's security advisory.

Exploitability

The attack requires network-layer access to the management API (local network or adjacent segment). No authentication or user interaction is required once the attacker has layer-3 connectivity. The attack is straightforward to execute: send unauthenticated API requests with profile modification payloads. The CVSS score of 8.3 (HIGH) reflects high integrity and availability impact offset by the local network requirement. This vulnerability has not been added to the CISA KEV catalog as of publication; however, the lack of KEV designation does not imply low exploitability—only that there is no evidence of active in-the-wild exploitation at the time of CVE publication.

Remediation

Apply the vendor-supplied firmware patch immediately if available. Verify the patch version against Acer's official security advisory to confirm the flaw is addressed. If a patch is not yet available, implement network segmentation to restrict management API access to trusted administrative interfaces only. Disable remote management features if not operationally necessary. Monitor API endpoint logs for suspicious or unauthenticated requests to profile-management endpoints. As an interim control, restrict layer-3 routing to the device's management interface from untrusted network zones.

Patch guidance

Contact Acer support or visit their security advisories page to obtain the latest firmware release for the Connect M6E 5G. Firmware updates for cellular devices typically require a deliberate administrative action (not automatic over-the-air updates on all models). Test the patched firmware in a non-production environment first to confirm compatibility with your deployment. Document the pre- and post-patch firmware version for compliance and audit records. If your organization uses Acer's device management platform, verify that platform can orchestrate the firmware deployment across multiple units to streamline patching.

Detection guidance

Monitor device logs and network traffic for unauthorized API calls to eSIM management endpoints. Inspect HTTP/HTTPS requests to any profile-management URIs for calls lacking proper authorization headers or bearer tokens. Baseline normal management traffic during maintenance windows, then alert on deviations. Use network analysis tools to detect anomalous API requests from unexpected source IPs or at unusual times. Review device audit logs for unexpected profile deletions, modifications, or additions. If your SIEM or network monitoring platform supports it, create detection rules for HTTP requests to known vulnerable endpoints without valid authentication credentials.

Why prioritize this

This vulnerability warrants immediate attention due to its HIGH CVSS score (8.3), high integrity and availability impact, and the simplicity of exploitation. While the attack vector is limited to local network access, the absence of any authentication barrier makes the flaw trivial to exploit for an attacker already on the network. Organizations with Acer Connect M6E 5G devices in shared or semi-trusted network environments should prioritize patching. The impact (eSIM deletion or modification) directly affects service continuity and can be weaponized for denial of service or traffic interception.

Risk score, explained

CVSS 3.1 score of 8.3 is justified by: (1) high integrity impact (I:H) – profiles can be maliciously modified or deleted; (2) high availability impact (A:H) – profile deletion can render the device unable to connect to cellular networks; (3) low confidentiality impact (C:L) – attacker may observe profile metadata; (4) low attack complexity (AC:L) – no special conditions or circumvention required; (5) no privileges required (PR:N); (6) no user interaction (UI:N); (7) local network vector (AV:A) – reduces the scope of affected parties but not the severity of impact. The score reflects a serious flaw that merits HIGH severity classification and urgent remediation planning.

Frequently asked questions

Can this vulnerability be exploited from the Internet?

No. The CVSS vector indicates an Adjacent Network (AV:A) attack vector, meaning the attacker must have layer-3 network access to the device or its local network segment. Internet-based remote exploitation is not possible. However, any attacker on the same LAN—including guest network users or compromised internal hosts—can exploit it.

Does the lack of KEV designation mean this vulnerability is not being exploited?

Correct. The KEV catalog documents vulnerabilities for which there is active, in-the-wild exploitation evidence. This CVE has not been added to KEV, indicating no confirmed active exploitation campaigns at publication. However, KEV status is not a measure of severity or effort-to-exploit; it reflects threat intelligence observations. Organizations should not deprioritize patching based on KEV absence.

What should we do if we cannot patch immediately?

Implement network segmentation to isolate the Acer Connect M6E 5G devices on a separate VLAN or subnet. Restrict management API access to a trusted administrative network only. Disable remote management features if operationally feasible. Monitor the devices closely for suspicious profile modifications. Apply the patch as soon as it is available and tested. Contact Acer support to confirm patch availability and expected release timeline.

Are other Acer cellular devices affected by this flaw?

Based on current information, only the Acer Connect M6E 5G and its firmware are confirmed vulnerable. Other Acer cellular or networking devices may or may not be affected. Check Acer's security advisory to confirm the precise list of affected product SKUs and firmware versions. If you operate other Acer cellular devices, review the vendor advisory to validate their status.

This analysis is provided for informational purposes and reflects the CVE details and vendor advisories published as of June 2026. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Organizations should verify patch availability and version details directly with Acer before deploying updates. This vulnerability intelligence does not constitute legal advice, compliance guidance, or a substitute for a comprehensive security risk assessment. Readers are responsible for their own vulnerability management decisions and should consult their vendor and security teams. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).