PatchSiren cyber security CVE debrief
CVE-2026-50226 Acer CVE debrief
The AcerConnect OTA application had a security issue (CVE-2026-50226) where fixed AES-128-CBC keys were used, allowing attackers to forge authorization credentials for any IMEI number. This vulnerability, with a CVSS score of 6.9, enabled unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
- Vendor
- Acer
- Product
- Connect M6E 5G Portable WiFi Router
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of Acer's Connect M6E 5G devices and administrators of networks where these devices are used.
Technical summary
The vulnerability (CVE-2026-50226) was caused by the use of fixed AES-128-CBC keys in the AcerConnect OTA application. This allowed attackers to forge authorization credentials for arbitrary IMEI numbers, potentially leading to unauthorized access to sensitive information.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by Acer to fix the vulnerability.
- Use secure authentication mechanisms and validate IMEI numbers properly.
- Monitor for suspicious activity related to AcerConnect OTA application and IMEI numbers.
Evidence notes
Evidence from NVD (National Vulnerability Database) and Acer's official advisory.
Official resources
-
CVE-2026-50226 CVE record
CVE.org
-
CVE-2026-50226 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
8fc372e3-d9c5-46e4-9410-38469745c639 - Mitigation, Vendor Advisory
CVE-2026-50226 was published on 2026-06-04T10:16:40.247Z and modified on 2026-06-08T12:57:32.277Z.