CVE-2026-50207 Acer CVE debrief

Who should care

Organizations deploying Acer Connect M6E 5G mobile hotspots or routers; telecommunications administrators managing cellular edge devices; security teams monitoring IoT/telecom infrastructure for baseband compromise or connectivity disruption risks

Technical summary

The Binder IPC boundary in Acer Connect M6E 5G firmware fails to validate or restrict AT commands passed through from local applications. This allows any local application with basic access to issue pass-through AT commands directly to the baseband processor. Consequences include unauthorized reading of baseband file systems and the ability to disable cellular connectivity. The vulnerability requires local access and low privileges, with no user interaction needed. The attack complexity is low and the vulnerability has been analyzed by NVD with a HIGH severity rating.

Defensive priority

HIGH

Recommended defensive actions

• Apply firmware update M6E_AI_1.00.000020 or later when available from Acer
• Restrict physical and logical access to affected devices to trusted administrators only
• Monitor for unexpected cellular connectivity changes or baseband configuration modifications
• Review device logs for anomalous AT command execution patterns
• Contact Acer support for patch availability if running firmware version M6E_AI_1.00.000019 or earlier

Evidence notes

NVD analyzed status as of 2026-06-04. Vendor advisory published at community.acer.com. CPE criteria confirm affected product as Acer Connect M6E 5G firmware versions up to and including M6E_AI_1.00.000019.

Official resources