CVE-2026-50224: Acer Connect M6E 5G IPv6 Administration Panel Exposure
The Acer Connect M6E 5G router's web administration panel is configured to listen on all public IPv6 addresses on port 8080, without built-in firewall protections. This means the internal API endpoints used to manage the device can be reached directly over the internet by anyone who knows the device exists and its IPv6 address, potentially allowing unauthorized access to sensitive configuration and status information.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50224 is an information disclosure vulnerability in the Acer Connect M6E 5G firmware. The web administration service binds to the IPv6 wildcard address [::]:8080, exposing internal API endpoints to the public internet. No authentication bypass is required—the issue is one of default network exposure. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) because an attacker capable of reaching the device over IPv6 can enumerate and access administrative API responses that should remain internal-only. The CVSS v3.1 score of 4.9 reflects the high confidentiality impact (attack vector: network, access complexity: low, no privilege required per the vector, though the vector shows PR:H indicating some privilege context) tempered by the requirement to have network access and the fact that no data modification or service disruption occurs.
Business impact
Organizations deploying the Acer Connect M6E 5G as a primary or backup connectivity device face exposure of device configuration, firmware metadata, and operational status to any attacker with IPv6 internet routing to the device. This enables reconnaissance for follow-on attacks, potential firmware extraction for analysis, and lateral movement planning within the network segment connected to the router. For enterprises using these devices in branch offices or remote deployments, the risk is elevated because such locations often have weaker network monitoring and access controls than data centers.
Affected systems
The vulnerability affects Acer Connect M6E 5G devices (both the product model and its associated firmware). Any deployment running firmware versions prior to the vendor's patch release is vulnerable if the device is reachable over IPv6 from external networks. Verify the current firmware version against the Acer advisory to confirm whether your deployed units require remediation.
Exploitability
Exploitability is currently low to moderate in practical terms. An attacker must: (1) identify a vulnerable Acer Connect M6E 5G device on the public internet (via IPv6 scanning or reconnaissance), (2) have network routing to reach it over IPv6 (which assumes IPv6 is enabled on the attacker's network and the target is not behind a native IPv6 NAT or firewall), and (3) craft HTTP requests to internal API endpoints to extract sensitive information. The attack requires no authentication, elevated privileges on the attacker side, or user interaction. The lack of KEV inclusion (as of the published date) suggests active exploitation in the wild has not been formally documented, though the vulnerability is straightforward enough that security researchers can reliably demonstrate it. Organizations using these devices in internet-facing or hybrid-routed IPv6 environments should prioritize remediation.
Remediation
Patch the Acer Connect M6E 5G firmware to the latest version released by Acer following this disclosure. Additionally, apply compensating controls: disable IPv6 on the administration interface if IPv6 is not required for operations, configure firewall rules to restrict access to port 8080 to trusted administrative subnets only, and place the device behind a stateful firewall or NAT that does not route inbound IPv6 traffic to the management port. Monitor for unauthorized IPv6 access attempts to the device.
Patch guidance
Check the Acer support portal and your device's firmware update mechanism for the patched firmware version released after June 4, 2026. Apply the update during a maintenance window. Verify post-patch that the administration panel is no longer reachable from untrusted IPv6 networks by testing from an external IPv6 source (or via a controlled IPv6 test environment). Document the patch version applied for compliance and audit purposes.
Detection guidance
Monitor firewall and router logs for inbound IPv6 connections to port 8080 on the Acer Connect M6E 5G device. Inspect network traffic for HTTP requests to administrative endpoints (common patterns: /api/*, /admin/*, /config/*). Use IPv6 port scanning tools (e.g., nmap with IPv6 support) to verify whether port 8080 remains open on your devices after patching. If your organization lacks native IPv6 monitoring, prioritize adding IPv6 visibility to your SIEM or network monitoring solution, as this class of exposure becomes more common as dual-stack deployments mature.
Why prioritize this
Although the CVSS score is MEDIUM (4.9), this vulnerability warrants prompt attention because: (1) information disclosure from network devices can seed reconnaissance for targeted attacks, (2) Acer routers are often deployed in remote or branch environments with limited security oversight, (3) the fix requires only a firmware update with no operational complexity, and (4) the default misconfiguration is easily exploitable without authentication, meaning there is a low barrier to abuse. Rank this for patching within 30 days, or sooner if the device is internet-exposed.
Risk score, explained
The CVSS v3.1 score of 4.9 (MEDIUM) reflects: Network attack vector and low attack complexity (no special conditions required); the vulnerability requires no authentication from the attacker's perspective in terms of needing credentials, but the vector string PR:H suggests the scoring model considered a scenario with some privilege context; high confidentiality impact (sensitive API responses exposed); no integrity or availability impact. The score appropriately downgrades severity from HIGH because the impact is limited to information disclosure—no code execution, denial of service, or lateral privilege escalation is possible through this flaw alone. However, the information disclosed (device configuration, firmware details, operational state) is sufficiently sensitive to warrant careful handling and timely patching.
Frequently asked questions
Can an attacker modify device configuration through this vulnerability?
No. CVE-2026-50224 is an information disclosure vulnerability only. The exposed API endpoints allow reading sensitive data, but the vulnerability does not enable configuration changes, firmware modification, or command execution. However, the information gathered could enable follow-on attacks.
Does this affect devices running only IPv4?
The vulnerability requires IPv6 network access to the device. If your Acer Connect M6E 5G is deployed in an IPv4-only environment or has IPv6 disabled on the WAN interface, the practical risk is significantly reduced. Verify your device's network configuration, but IPv4-only deployments are not vulnerable through this specific flaw.
What should I do if I cannot patch immediately?
Apply compensating controls: (1) restrict firewall access to port 8080 to only trusted administrative networks, (2) disable IPv6 on the administration interface if operationally feasible, (3) place the device behind a NAT or firewall that does not forward inbound traffic to port 8080, and (4) implement network monitoring to alert on unauthorized access attempts. Patch as soon as a maintenance window is available.
Is this vulnerability actively being exploited?
As of the published date (June 4, 2026), the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning no documented active exploitation has been formally reported. However, the simplicity of the flaw means security researchers can reliably demonstrate it, and motivated attackers may target internet-exposed devices. Do not rely on lack of active exploitation as a reason to delay patching.
This analysis is provided for informational purposes to support vulnerability management and risk assessment. SEC.co does not provide exploit code, proof-of-concept tools, or detailed attack recipes. Organizations should verify all patch versions, affected firmware builds, and compatibility with their deployments against official Acer documentation and vendor advisories. Testing patches in a non-production environment is strongly recommended. This page is current as of June 17, 2026 (the last modification date in the source data); threat intelligence and patch availability may evolve. Always consult the vendor's official security advisories for the most up-to-date remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49187HIGHAcer Connect M6E 5G Unvalidated Resource Exposure
- CVE-2026-49193HIGHAcer Connect M6E 5G Cloud Storage Telemetry Exposure (CVSS 7.5)
- CVE-2026-50210HIGHAcer Connect M6E 5G Static IV Encryption Vulnerability
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search