Acer is prepping firmware updates for three critical vulnerabilities impacting its Connect M6E 5G portable Wi-Fi router. The bugs could let attackers bypass authentication, redirect device management or weaken encrypted traffic.
Impacted is the Acer Connect M6E 5G Mobile WiFi, a rugged portable 5G Wi-Fi 6E hotspot/router introduced last year. The hotspot, priced at around $250, is targeted at consumer and business use.
In its security bulletin posted Thursday Acer said impacted are Acer M6E models running firmware version M6E_AI_1.00.000019 or earlier. Acer said no firmware update is available, but the flaws are being “systematically addressed” and will be bundled into an upcoming over-the-air firmware update.
Acer did provide workaround fixes, pending an official patch.
The three critical CVEs of over 20 lesser severity Acer M6E flaws listed by Acer on Thursday include:
Screen lock authentication bypass (CVE-2026-49194): According Acer the flaw, scored with a CVSS score of 9.4, allows for a “complete compromise of the device. An attacker can execute arbitrary commands, install unauthorized applications, or alter system configurations without ever logging in.”
Permissive TrustAllCerts TLS Verification bug (CVE-2026-50208): The flaw carries a CVSS score of 9.2 and stems from a security misconfiguration where an application or device is explicitly instructed to blindly trust any SSL/TLS certificate it encounters, completely bypassing standard cryptographic validation.
MDM Server Registration Overriding flaw (CVE-2026-50209): The bug has a CVSS score of 9.3 and is tied to a weakness that allows unsecured internal commands ultimately allowing a malicious app to secretly change the router’s Mobile Device Management (MDM) server, handing over full administrative control to an attacker.
As of Friday, there were no reports of public Proof-of-Concept (PoC) exploits available, nor were there any indication of active, in-the-wild exploitation of the three Acer Connect M6E critical vulnerabilities.
“The vulnerabilities outlined in this advisory are being systematically addressed by Acer’s product security teams. Corrective patches will be bundled together and rolled out sequentially in an upcoming over-the-air firmware update,” according to the Acer security advisory.
To secure the Acer M6E device ahead of the official patch, administrators should immediately protect the management dashboard with a highly complex password and, if the network context permits, restrict inbound and outbound tracking on IPv6 interfaces.
Once the software update goes live, the patch should be applied by logging into the device’s web management interface (via http://192.168.76.1 or http://acerconnect.com) and navigating to System Settings > Firmware Update.
The flaws were identified by security researcher Ta-Lun Yen, with TXOne Networks.
Image Credit: Acer
