HIGH 7.8

CVE-2026-50207: Acer Connect M6E 5G Baseband AT Command Injection – CVSS 7.8 HIGH

A flaw in how the Acer Connect M6E 5G processes cellular commands allows local applications to bypass security controls and send unverified AT commands directly to the device's baseband modem. This creates a pathway for local attackers to extract sensitive baseband files or interfere with cellular connectivity. The vulnerability requires local access and unprivileged application-level execution, making it a risk in multi-app environments where untrusted code can run.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-22
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-50207 is a boundary validation weakness in the Binder IPC mechanism on the Acer Connect M6E 5G that fails to verify AT commands before passing them through to the baseband processor. AT commands—the legacy protocol for controlling cellular modems—can be misused to read protected firmware, configuration files, or IMSI data, or to disable cellular radio functionality. The vulnerability maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating inadequate access control on a critical interface. With a CVSS 3.1 score of 7.8 (HIGH), it carries high impact to confidentiality, integrity, and availability, though exploitation requires local application-level privileges.

Business impact

Organizations deploying Acer Connect M6E 5G devices in enterprise or shared-use environments face risk of unauthorized data exfiltration, service disruption, and potential compliance violations if baseband data or customer information is accessed. Cellular connectivity is often critical for backup or primary communication; disabling it could interrupt business operations. The local privilege requirement limits exposure but does not eliminate it in BYOD or managed app ecosystems where multiple applications coexist. This vulnerability underscores the need for strict app vetting and network segmentation for mobile connectivity appliances.

Affected systems

The vulnerability impacts Acer Connect M6E 5G devices and associated firmware. This appears to be a mobile hotspot or 5G connectivity appliance. Verify the exact affected firmware versions against Acer's official advisory. Devices already deployed in production should be inventoried and assessed for whether local application execution can be controlled via app policies or network policies.

Exploitability

Exploitation is practical for an attacker with local application execution on the device. The local requirement (AV:L) and need for low privileges (PR:L) mean this is accessible to unprivileged apps or sideloaded code, but not to remote network attackers. No authentication bypass or complex interactions are required once execution is achieved (AC:L). The attack surface widens in settings where users can install arbitrary applications or where the device runs third-party firmware.

Remediation

Apply the latest firmware patch released by Acer for the Connect M6E 5G. The patch should add input validation and authorization checks to the Binder interface handling AT commands, ensuring only privileged system processes can invoke baseband operations. Until patching is complete, restrict local application execution on affected devices through platform security policies and app allowlisting where feasible. Monitor for suspicious AT command activity if forensic logging is available.

Patch guidance

Check Acer's support portal for the Connect M6E 5G for the latest firmware release dated after June 17, 2026 (the vulnerability modification date). Firmware updates typically require a wired connection or a specific update mode; review Acer's release notes for instructions. Test patches in a non-production environment first. If automatic updates are available, enable them. Verify the patch version number and checksum against Acer's official advisory before deployment.

Detection guidance

Monitor for local Binder calls that invoke AT command handlers with unchecked arguments, particularly commands that read memory or disable radio functionality (e.g., AT+QFASTBOOT, AT+CFUN=0). If your device offers baseband or system logs, look for unauthorized AT command sequences. Network-level detection is limited since the vulnerability is local, but monitor for unexpected cellular service state changes. Consider deploying Mobile Threat Defense (MTD) tools that can audit baseband-level operations if supported on this platform.

Why prioritize this

The vulnerability merits prompt patching due to its HIGH CVSS score and the sensitivity of baseband data. Baseband firmware, IMSI information, and cellular connectivity are fundamental to device function and user privacy. While the local privilege requirement limits attack surface compared to remote vulnerabilities, untrusted applications pose a credible threat in shared-device scenarios. The lack of KEV (Known Exploited Vulnerabilities) status does not reduce the risk; prioritize based on your inventory of these devices and your app governance posture.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects high impact across confidentiality (reading baseband files), integrity (modifying cellular settings), and availability (disabling service), offset partially by the requirement for local access and low privileges. The vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates this is a serious but not critical-level flaw. It does not propagate to other users or systems, but affects the targeted device completely.

Frequently asked questions

Who can exploit this vulnerability?

Any local application running on the device with standard (unprivileged) user permissions can invoke the vulnerable Binder interface. This includes third-party apps, sideloaded code, or malware that gains execution on the device. Remote attackers cannot exploit it directly unless they first compromise local code execution through a separate vulnerability.

What is an AT command and why does it matter?

AT commands are a legacy protocol used to control modems and cellular radios. They can query or modify modem state, read firmware, disable radio functions, and access subscriber identity data. If an unprivileged application can send arbitrary AT commands to the baseband without validation, it can perform operations normally restricted to system components, posing privacy and availability risks.

Does this affect all Acer Connect M6E 5G devices, or only certain firmware versions?

The vulnerability affects the Acer Connect M6E 5G product line. Specific affected firmware versions should be confirmed in Acer's official advisory. Some firmware releases may not be vulnerable if they include the fix. Always verify your device's current firmware version and cross-check it against the vendor's supported/affected version list.

What should I do if I cannot patch immediately?

Restrict local application execution on affected devices by disabling app installation from untrusted sources, using Mobile Device Management (MDM) policies to allowlist only approved apps, and isolating the device on a network segment with limited lateral movement. Monitor for suspicious behavior and plan patching as your primary mitigation strategy.

This analysis is based on publicly disclosed vulnerability data current as of June 2026. Patch availability, affected firmware versions, and workarounds are subject to change; consult Acer's official security advisories for authoritative guidance. No exploit code or proof-of-concept is provided. Organizations should conduct their own risk assessment based on their environment, inventory, and app governance policies. SEC.co makes no warranty regarding the completeness or accuracy of vendor disclosures and recommends independent verification before making security decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).