HIGH 7.5

CVE-2026-50213: Acer Connect M6E 5G User Profile Enumeration Vulnerability

A validation endpoint in Acer Connect M6E 5G firmware exposes detailed user profile information when attackers submit predictable identification strings. Instead of simply confirming whether an account exists, the endpoint returns full profile data sheets, turning a validation function into a data harvesting tool. An unauthenticated attacker can systematically crawl this endpoint by iterating through common or sequential ID values to collect user profiles at scale.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-798
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-50213 describes an information disclosure vulnerability in the /v1/User/validate endpoint of Acer Connect M6E 5G firmware. The endpoint is designed to validate user accounts but fails to restrict the scope of data returned. When called with predictable identification strings, it returns comprehensive user profile data rather than a simple true/false validation response. The vulnerability stems from inadequate output filtering and is classified under CWE-798 (Use of Hard-Coded Credentials), though the root cause appears to be excessive data exposure. The attack requires no authentication, no user interaction, and can be performed over the network, resulting in a CVSS 3.1 score of 7.5 (HIGH severity) with a vector reflecting high confidentiality impact.

Business impact

User privacy is directly compromised through bulk extraction of profile information from affected Acer Connect M6E 5G devices. Organizations and individuals using these devices for connectivity face exposure of personal data that could be used for targeted phishing, social engineering, identity theft, or competitive intelligence gathering. For enterprises managing fleets of these devices, the ability to enumerate and profile users at scale creates both privacy liability and operational risk. The lack of authentication requirement means an external attacker needs only network visibility to the affected endpoint.

Affected systems

Acer Connect M6E 5G and its associated firmware are affected. This is a mobile hotspot/connectivity device, suggesting exposure in environments where field workers, remote staff, or traveling users rely on this device for internet connectivity. Any deployment where the management or validation endpoint is accessible from untrusted networks—including the internet—should be considered at risk.

Exploitability

Exploitability is straightforward. The vulnerability requires no authentication, no special privileges, no user interaction, and no complex conditions (AC:L). An attacker can craft simple HTTP requests to /v1/User/validate with iterative identification strings from a remote network location. Automation allows systematic enumeration of profiles at scale. While not yet in CISA's Known Exploited Vulnerabilities (KEV) catalog, the simplicity of the attack pattern and the clear data exposure make this a practical target for threat actors seeking profile databases or reconnaissance data.

Remediation

Acer users should consult the vendor's security advisory for firmware updates specific to the Connect M6E 5G model. Remediation typically involves restricting the /v1/User/validate endpoint to return minimal information (e.g., only a boolean validation result) or implementing authentication and rate-limiting controls. Until patches are available, network-level mitigations such as restricting access to the management endpoint to trusted networks only can reduce exposure. Verify all available patches against Acer's official security notices.

Patch guidance

Check Acer's official support portal for Connect M6E 5G firmware updates released after June 4, 2026 (the publication date of this CVE). Firmware updates should be applied to all affected devices in your environment. Before deployment, test patches in a non-production setting to ensure compatibility with your network configuration. If no patch has been released by your vendor contact date, escalate to Acer support and implement compensating controls (network segmentation, access restrictions).

Detection guidance

Monitor for repeated calls to the /v1/User/validate endpoint, especially from external or untrusted IP addresses. Baseline normal usage patterns for this endpoint and alert on anomalous query rates or iterative ID patterns that suggest enumeration attempts. Review access logs for the /v1/User/validate path; legitimate use should be infrequent and from expected sources. Consider implementing request filtering or rate-limiting at the device management interface level to detect scanning activity. If device management interfaces are exposed to the internet, audit current access and restrict to VPN or trusted network ranges.

Why prioritize this

This vulnerability merits HIGH priority because it enables unauthenticated, network-accessible bulk extraction of user profile data with no prerequisites for attack. The confidentiality impact is complete (C:H), and the attack surface is broad. While not yet in the KEV catalog, the ease of exploitation and direct privacy harm justify immediate action. Organizations should treat this as a data exposure risk and prioritize remediation, especially if devices are internet-facing or support high-value users.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a network-accessible, unauthenticated vulnerability with high confidentiality impact and no requirement for user interaction or complex attack conditions. The absence of integrity and availability impact (attackers cannot modify data or disrupt service) prevents a critical rating, but the direct user data exposure and ease of exploitation place this firmly in the HIGH severity tier. In environments where these devices manage sensitive user populations, the business risk may justify treatment as higher priority than the base score alone.

Frequently asked questions

Does this vulnerability allow attackers to modify user data or take down the device?

No. The vulnerability only exposes profile information that can be read by unauthenticated attackers. It does not permit modification of data, account takeover, or denial of service. The integrity and availability of the system remain intact; confidentiality is the primary concern.

How quickly can an attacker enumerate profiles?

With no rate-limiting or authentication, an attacker can iterate through identification strings and retrieve profile data in near real-time. The speed depends on network latency and the number of profiles to enumerate, but bulk extraction can occur in minutes to hours if the ID scheme is predictable.

Is this vulnerability in active use by threat actors?

As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the simplicity of the attack and the obvious value of user profile data make it an attractive target. Organizations should assume active exploitation is possible even before widespread public disclosure.

What should I do if I cannot patch immediately?

Restrict network access to the device management interface and the /v1/User/validate endpoint to trusted networks only. Use a VPN or firewall rules to block external access. Implement rate-limiting on the endpoint if the device firmware or management layer supports it. Monitor for suspicious query patterns. Plan and test a patch deployment at your earliest opportunity.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co does not provide exploit code, weaponized proof-of-concept details, or step-by-step attack instructions. Patch versions, KEV status, and vendor advisory links are subject to change; verify all remediation steps against current vendor guidance before implementation. Organizations should conduct their own vulnerability assessment and testing in controlled environments. This content does not constitute legal, compliance, or vendor-specific support advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).