CVE-2026-49204: CWE-798: Use of Hard-coded Credentials in Acer Connect M6E 5G Portable WiFi Router
CVE-2026-49204 is a medium severity vulnerability in the Acer Connect M6E 5G Portable WiFi Router involving the use of hard-coded credentials. Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, which could potentially be exploited to access internal assets. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating a network attack vector with low complexity and no required privileges or user interaction. The affected product is a cloud service, and a patch is available. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-49204) arises from leftover debug modules in the Acer Connect M6E 5G Portable WiFi Router that include hard-coded credentials for internal AWS Cognito test sandboxes. These fixed credentials could allow unauthorized access to internal assets if exploited. The vulnerability is remotely exploitable without authentication or user interaction, with low attack complexity. The product is cloud-hosted, and the vendor manages remediation for the cloud service. The CVSS 4.0 score is 6.9 (medium severity).
Potential Impact
The presence of hard-coded credentials in debug modules risks unauthorized access to internal AWS Cognito test sandboxes, potentially exposing internal assets. The vulnerability can be exploited remotely without privileges or user interaction, which increases risk. However, no known exploits have been reported in the wild. The impact is limited to the exposure of internal test environments rather than production systems.
Mitigation Recommendations
A patch is available for this vulnerability. Since the affected product is a cloud service, the vendor (Acer) manages remediation server-side. Security teams should verify with Acer's official advisory or support channels that the patch has been applied and the debug modules with hard-coded credentials have been removed. No additional mitigation actions are indicated at this time.
CVE-2026-49204: CWE-798: Use of Hard-coded Credentials in Acer Connect M6E 5G Portable WiFi Router
Description
CVE-2026-49204 is a medium severity vulnerability in the Acer Connect M6E 5G Portable WiFi Router involving the use of hard-coded credentials. Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, which could potentially be exploited to access internal assets. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating a network attack vector with low complexity and no required privileges or user interaction. The affected product is a cloud service, and a patch is available. There are no known exploits in the wild at this time.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-49204) arises from leftover debug modules in the Acer Connect M6E 5G Portable WiFi Router that include hard-coded credentials for internal AWS Cognito test sandboxes. These fixed credentials could allow unauthorized access to internal assets if exploited. The vulnerability is remotely exploitable without authentication or user interaction, with low attack complexity. The product is cloud-hosted, and the vendor manages remediation for the cloud service. The CVSS 4.0 score is 6.9 (medium severity).
Potential Impact
The presence of hard-coded credentials in debug modules risks unauthorized access to internal AWS Cognito test sandboxes, potentially exposing internal assets. The vulnerability can be exploited remotely without privileges or user interaction, which increases risk. However, no known exploits have been reported in the wild. The impact is limited to the exposure of internal test environments rather than production systems.
Mitigation Recommendations
A patch is available for this vulnerability. Since the affected product is a cloud service, the vendor (Acer) manages remediation server-side. Security teams should verify with Acer's official advisory or support channels that the patch has been applied and the debug modules with hard-coded credentials have been removed. No additional mitigation actions are indicated at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Acer
- Date Reserved
- 2026-05-28T02:47:39.776Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a217ebae29bf47b50a6c5b4
Added to database: 6/4/2026, 1:33:46 PM
Last enriched: 6/4/2026, 1:49:04 PM
Last updated: 6/4/2026, 2:57:55 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.