CVE-2026-50206: Acer Connect M6E 5G VPN Profile Command Injection Vulnerability
A vulnerability in Acer Connect M6E 5G devices allows an authenticated administrator to execute arbitrary commands by uploading a malicious VPN configuration file. The device fails to properly sanitize special characters in VPN profile settings, which an attacker with high-level access could exploit to break out of the configuration parsing context and inject system commands. This is not a vulnerability an unauthenticated remote user can easily trigger, but it represents a significant risk in environments where VPN profiles are managed by potentially compromised accounts or supply chain actors.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50206 is an OS command injection vulnerability (CWE-78) in the VPN network profile import functionality of Acer Connect M6E 5G devices. The affected firmware does not implement proper input validation or escaping when processing special characters within VPN configuration files. An attacker with administrator-level privileges can craft a malicious VPN profile that includes shell metacharacters or command separators in configuration fields. When the device processes this file, the unsanitized input is passed to an underlying command execution context, enabling arbitrary command execution with device privileges. The CVSS 3.1 score of 6.8 (MEDIUM) reflects the requirement for high administrative privilege to trigger the vulnerability, balanced against its high impact on confidentiality, integrity, and availability once exploited.
Business impact
Compromise of an Acer Connect M6E 5G device via this vulnerability could allow an attacker to gain full control over the device's network functionality, intercept or redirect traffic, disable connectivity, or use the device as a pivot point to attack downstream networks. For organizations deploying these devices as mobile hotspots or edge network appliances, a successful attack could disrupt business continuity, compromise sensitive data in transit, and create regulatory compliance issues. The risk is particularly acute if device management accounts are shared, poorly secured, or compromised through phishing or credential stuffing. Rapid patching is essential for any device deployed in sensitive network environments.
Affected systems
The vulnerability affects Acer Connect M6E 5G devices running vulnerable firmware versions. The exact firmware versions requiring patching should be verified against Acer's official security advisory. Both the device hardware (acer connect_m6e_5g) and its associated firmware package (acer connect_m6e_5g_firmware) are in scope. Organizations should inventory all instances of this device model and determine current firmware versions to assess exposure.
Exploitability
Exploitation requires administrator-level access to the device's management interface, which significantly raises the bar for opportunistic attacks. However, the vulnerability is straightforward to exploit once authenticated—an attacker simply needs to craft a VPN profile file with injected commands and upload it through the configuration menu. No user interaction is required beyond the initial authentication. The low attack complexity and absence of any race conditions make this a reliable attack vector for inside threats or attackers with compromised administrative credentials. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but this does not diminish the urgency of patching in high-risk environments.
Remediation
Apply the latest firmware patch released by Acer for the Connect M6E 5G model. Verify the patch version against Acer's security advisory to ensure you are installing a build that specifically addresses CVE-2026-50206. Additionally, implement access controls to restrict VPN profile upload functionality to a minimal set of trusted administrators, enable logging and monitoring of configuration changes, and consider air-gapping or network-segmenting these devices if they are not essential to day-to-day operations. Review administrative credential hygiene to reduce the likelihood of account compromise.
Patch guidance
Check Acer's support portal for the Connect M6E 5G and download the latest available firmware. Before deploying patches, test them in a non-production environment to verify compatibility with your network configuration and any custom VPN profiles. Schedule patching during a maintenance window to minimize network disruption. After patching, verify that VPN functionality remains operational and that no previously uploaded malicious profiles persist. Document the patch version applied for compliance and audit purposes.
Detection guidance
Monitor device logs for unusual VPN profile uploads or configuration changes, particularly outside normal maintenance windows. Alert on any configuration import events from unexpected IP addresses or at atypical times. If device logs are accessible, search for shell metacharacters (pipes, semicolons, backticks, dollar signs) in VPN profile field values. Network-based detection is difficult without deep packet inspection of configuration file uploads. Organizations with SIEM systems should correlate any device reboots or command execution anomalies with recent configuration changes. Establish a baseline of normal administrative behavior to identify deviations.
Why prioritize this
Although this vulnerability carries a MEDIUM CVSS score and requires administrative authentication, it enables complete device compromise and should be treated as high priority in any environment where the Connect M6E 5G is deployed in a trust boundary with sensitive data or critical network paths. The simplicity of exploitation and the broad impact on device integrity and availability justify prompt remediation. Organizations with deployed instances should treat this as a critical patching candidate.
Risk score, explained
The CVSS 3.1 score of 6.8 reflects a medium overall risk profile tempered by the high-privilege requirement (PR:H), but weighted against the high impact across all three security dimensions (confidentiality, integrity, availability). The attack vector is Adjacent Network (AV:A), meaning an attacker must have network access to the device but does not need to be on the Internet backbone. The low attack complexity (AC:L) and absence of user interaction (UI:N) indicate that once an attacker has administrative credentials, exploitation is trivial. The score appropriately penalizes the privilege requirement but does not discount the severity of impact, making this a vulnerability that should not be ignored despite its medium label.
Frequently asked questions
Does this vulnerability affect me if I use the Connect M6E 5G only for personal mobile hotspot use?
If you are the sole administrator of the device and your credentials are not compromised, your personal risk is lower. However, you should still apply patches when available, particularly if you travel or use the device on untrusted networks where your administrative access might be probed. Patching is the safest approach regardless of deployment context.
Can this vulnerability be exploited remotely over the Internet?
No. The attack vector requires Adjacent Network access (AV:A), meaning an attacker must be on the same local network or have network connectivity to the device's management interface. Remote exploitation over the public Internet is not feasible unless the device's management port is explicitly exposed, which is not recommended.
What should I do if I cannot patch immediately?
Implement strict network access controls to limit who can reach the device's management interface. Disable or restrict VPN profile upload functionality if it is not actively needed. Rotate administrator credentials and enable any available logging features to detect suspicious configuration changes. Monitor the device for anomalous behavior and plan a patching timeline as soon as feasible.
Is there a workaround if I'm waiting for a patch?
There is no complete workaround that eliminates the vulnerability. The most effective interim measure is to restrict administrative access through network segmentation, strong access controls, and credential management. Do not delay patching indefinitely; treat it as a high priority once Acer releases a fix.
This analysis is provided for informational purposes to help security teams prioritize vulnerability remediation. It is not a substitute for official vendor advisories or security research conducted by qualified professionals. Verify all patch versions, affected firmware releases, and remediation steps against Acer's official security advisories before taking action. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and assumes no liability for decisions made based on this content. Organizations should conduct their own risk assessments and testing before deploying patches or making configuration changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49190HIGHAcer Connect M6E 5G Privilege Escalation & RCE via Opcode Bypass
- CVE-2026-10279MEDIUMOS Command Injection in wezterm-mcp 0.1.0
- CVE-2026-10805MEDIUMNetworkManager Local Privilege Escalation via Malformed MUD URL
- CVE-2026-45626MEDIUMArcane Docker Management Command Injection Vulnerability
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI