CVE-2026-50208 Acer CVE debrief

Who should care

Organizations deploying Acer Connect M6E 5G devices for remote connectivity, network administrators managing these devices, and security teams responsible for telecommunications infrastructure integrity.

Technical summary

The Acer Connect M6E 5G firmware implements TrustAllCerts routines that bypass standard TLS certificate chain validation. Additionally, the firmware contains hard-coded DES symmetric encryption keys. These combined weaknesses allow a MITM attacker—who must overcome the AC:H (high attack complexity) network positioning requirement—to intercept and decrypt network traffic. The vulnerability is rated CRITICAL with CVSS 4.0 score 9.2. Affected versions are firmware M6E_AI_1.00.000019 and earlier. The underlying weakness is categorized as CWE-330.

Defensive priority

critical

Recommended defensive actions

• Apply the vendor mitigation guidance from Acer for Connect M6E 5G firmware.
• Upgrade firmware beyond version M6E_AI_1.00.000019 when a patched release becomes available.
• Restrict network access to affected device management interfaces and avoid untrusted networks until patched.
• Monitor for unauthorized device configuration changes or unexpected network traffic patterns.
• Review network segmentation to limit exposure of affected devices to potential MITM positions.

Evidence notes

NVD lists vulnStatus as Analyzed. CVSS 4.0 vector: AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N. CPE criteria identify affected firmware and hardware. Weakness mapped to CWE-330 (Use of Insufficiently Random Values).

Official resources